Malicious PDF — malware analysis report

Static analysis result for SHA-256 58189785141d170e…

MALICIOUS

PDF

65.9 KB Created: 2020-08-30 11:57:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 049c72cfc56d21e3d9d7f690ba36f2e4 SHA-1: 9bee0949d4d341d3713019e236f60caca84f777d SHA-256: 58189785141d170e2b50df9ede5827920dfea7e5db0dbd6a96fbe2a25169654d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link pointing to ttraff.ru, which is associated with malicious activity. The document body, though heavily obfuscated, contains this URL and another benign-looking PDF URL. The presence of a link farm heuristic further suggests an attempt to distribute malicious content or SEO spam. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=samsung+ks8000+65+manual
    • https://static.usrfiles.com/ugd/22739b_9e1818a8688a4d1db5d3f36f2ee6b83f.pdf
    • https://static.usrfiles.com/ugd/63d3ad_a8a99d4679ac4c6e95ef5a2d00813cc8.pdf
    • https://static.usrfiles.com/ugd/b8c837_210a4ab052ec42d4be215df5bd1cca5b.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_803b8488920d437ab683ca3cc0edf394.pdf
    • https://cdn.shopify.com/s/files/1/0437/8833/7303/files/72465199440.pdf
    • https://static.usrfiles.com/ugd/69695d_855ed8af29b44c3fad038bef8ecb0956.pdf
    • https://static.usrfiles.com/ugd/b8c837_2af84211bd3b42d4a2fc601104296d2d.pdf
    • https://static.usrfiles.com/ugd/19103d_a74fac1cc3d54eefb49ee1fe4463bb4f.pdf
    • https://cdn.shopify.com/s/files/1/0455/6242/9605/files/dunofuwedik.pdf
    • https://cdn.shopify.com/s/files/1/0440/2728/1558/files/vinayaka_chavithi_pooja_telugu.pdf
    • https://cdn.shopify.com/s/files/1/0435/6761/2063/files/26129233291.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c3da.bin
d166451afc8e20581324f7e5e3e7bfa678ee73dbb299be65faa6f9603dfe0dfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC3DA 5692 bytes
font_01_sfnt_off0000d727.bin
4cbf24eedd59f7bdeb8dddcfb99491b57948a01991f43e3d378654c3ad58236e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD727 10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.