Malicious PDF — malware analysis report

Static analysis result for SHA-256 5947f5fb84363867…

MALICIOUS

PDF

155.7 KB Created: 2020-09-01 18:02:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f7d8d40aa95b74ea60144bccaabfd70e SHA-1: f4adede637eb25ca6b8075c1597a26f6e03f0d03 SHA-256: 5947f5fb8436386735b35fbf6af727138c6e54447488131d7145162bfb341b12
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.ru, which is highly indicative of a phishing or malware delivery attempt. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the malicious URL, suggesting the primary intent is to lure the user to this external resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=augmented+reality+adalah+pdf
    • https://cdn.shopify.com/s/files/1/0440/7872/7318/files/cell_structure_and_function_packet_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0440/8036/5733/files/29507966484.pdf
    • https://cdn.shopify.com/s/files/1/0464/9022/2744/files/meaning_of_research_report_ppt.pdf
    • https://cdn.shopify.com/s/files/1/0432/1116/1768/files/76052468792.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_dfc7619052424c5489fd63c3dd8e42c6.pdf
    • https://static.usrfiles.com/ugd/c345b0_41a78e6b6e8e4b05bd9e56d664f0ea23.pdf
    • https://static.usrfiles.com/ugd/e78b77_c5d47b02c68a41d6afb9d125a0ac8323.pdf
    • https://cdn.shopify.com/s/files/1/0430/4211/1637/files/63370504595.pdf
    • https://cdn.shopify.com/s/files/1/0431/2511/2993/files/61938629883.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00020d9c.bin
bccd68718e758c7ca0ca326c82e1b257789e5d70e3a5bc58a167f0f12b999013		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20D9C 6968 bytes
font_01_sfnt_off0002251f.bin
1c7cf234605064a28e213fda8b4948f619a1616ebe98f70dbbdfb8def47d6bf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2251F 5368 bytes
font_02_sfnt_off00023740.bin
5f1765b6dc8967cab398dbe9a804fa5f201bfe0ef0f662263ae59a74cc4e8912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23740 13120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.