Malicious PDF — malware analysis report

Static analysis result for SHA-256 50bb3fe2fb2a6fab…

MALICIOUS

PDF

43.9 KB Created: 2020-08-06 06:59:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5c0e6c67156fc67c52ebc5cdb123762 SHA-1: d045fb9aad3951dc8c407ba50b23e52c1cd1e247 SHA-256: 50bb3fe2fb2a6fab960c40632d8a33fff2b41f0815e61ba0cd6081d930d8ee96
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document is identified as malicious due to a critical heuristic firing for a malicious redirector link. The document contains a large number of embedded links, presented as "maths worksheets for preschoolers pdf", which ultimately redirect to the malicious domain ttraff.ru. This indicates a likely attempt to lure users to malicious infrastructure through a deceptive pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=maths+worksheets+for+preschoolers+pdf
    • http://files.caalam.us/uploads/1/3/0/9/130969390/puzesekivud_raxezemexot_xategubugovenut_fuzixanaxemavu.pdf
    • http://files.inter-nda.com/uploads/1/3/1/3/131379049/1779210.pdf
    • http://files.sexeducationbytheatre.com/uploads/1/3/1/4/131406977/wuvamubu.pdf
    • https://cdn.shopify.com/s/files/1/0431/9051/7911/files/bazapoxelobo.pdf
    • https://cdn.shopify.com/s/files/1/0433/1202/1662/files/zofemokoxodotiniwafudoto.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/78476378890.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gigogew.pdf
    • https://cdn.shopify.com/s/files/1/0430/6151/0293/files/welusotikiv.pdf
    • https://cdn.shopify.com/s/files/1/0436/0513/1421/files/60261286856.pdf
    • https://cdn.shopify.com/s/files/1/0434/4443/7144/files/nosafupomudivewegafa.pdf
    • https://cdn.shopify.com/s/files/1/0429/7365/9290/files/59001271573.pdf
    • https://cdn.shopify.com/s/files/1/0427/6980/9564/files/nuvuxa.pdf
    • https://cdn.shopify.com/s/files/1/0432/9711/2219/files/beseneru.pdf
    • https://cdn.shopify.com/s/files/1/0434/2677/5196/files/65662135186.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060ab.bin
cb4916715f518a8b669025cfb5e1e21a9d023912c45d25a1e18a22a4ca5b569c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60AB 5036 bytes
font_01_sfnt_off000071f9.bin
3791851b32ce0aca9a486172bd512da46ea495c31e43f485f45c7f3def36be9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71F9 10084 bytes
font_02_sfnt_off00009491.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9491 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.