Malicious PDF — malware analysis report

Static analysis result for SHA-256 56803c12a15dd1c3…

MALICIOUS

PDF

38.8 KB Created: 2020-08-19 01:58:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3c8b165635dd22b2ab49dab89495b05 SHA-1: 76f193238bc45ae63af1eb436405b944a3dcb243 SHA-256: 56803c12a15dd1c37ee6f06b33edf6d88b579d598791587d9dd76464144da87a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics indicating malicious redirector links and a link farm. The document body, though partially corrupted, contains a URL that matches the malicious redirector. The presence of numerous embedded links, including one pointing to 'ttraff.ru', strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=antena+tv+apk+new+version
    • http://gaxapi.karensnovels.com/uploads/1/3/1/3/131378816/xilur_verokuwesabisi_fevufuruw_nuvigus.pdf
    • http://files.stefaniazissi.com/uploads/1/3/1/4/131407493/mimebidu.pdf
    • https://cdn.shopify.com/s/files/1/0432/9019/8180/files/adenitis_mesenterica_en_nios.pdf
    • https://cdn.shopify.com/s/files/1/0429/9656/4131/files/79054043804.pdf
    • https://cdn.shopify.com/s/files/1/0431/0764/7639/files/46410727623.pdf
    • https://cdn.shopify.com/s/files/1/0434/2831/5293/files/31792088240.pdf
    • https://cdn.shopify.com/s/files/1/0438/4777/8469/files/faxiduvorararurofa.pdf
    • https://cdn.shopify.com/s/files/1/0432/4248/7963/files/vinefesutobe.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/51439980706.pdf
    • https://cdn.shopify.com/s/files/1/0431/9005/9176/files/sojaguzunex.pdf
    • https://cdn.shopify.com/s/files/1/0428/8384/2215/files/1689753477.pdf
    • https://cdn.shopify.com/s/files/1/0433/7346/1660/files/8837258428.pdf
    • https://cdn.shopify.com/s/files/1/0434/5564/3813/files/bash_shell_in_linux.pdf
    • https://cdn.shopify.com/s/files/1/0434/0921/1557/files/nexami.pdf
    • https://cdn.shopify.com/s/files/1/0439/2134/2619/files/mississippi_driver_s_permit_book.pdf
    • https://cdn.shopify.com/s/files/1/0450/7618/5253/files/jusudopiwadi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c36.bin
b7c1663a2408381bb953a8de6199c4b77f24b7db86fc7e142717f9bbdd45273b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C36 4984 bytes
font_01_sfnt_off00006d4e.bin
970d3c69272f47b2f67355b9f79e8da95165259c366da2c18a0e4d10603ca14c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D4E 9736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.