Malicious PDF — malware analysis report

Static analysis result for SHA-256 597e3ff49eebf6c5…

MALICIOUS

PDF

40.6 KB Created: 2020-08-30 01:07:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0277b1c579920ef2e24d91592f3a47b0 SHA-1: 1417c2272244f834328867e21c4c7e1d7ad4d676 SHA-256: 597e3ff49eebf6c5b652c3e90c68528b6f0a328a303ace3ad3761617a496f17d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a malicious redirector link disguised as a torrent download for the movie 'Yennai Arindhaal'. This link, 'https://ttraff.ru/wix?keyword=yennai+arindhaal+torrent', is designed to lead the user to malicious infrastructure. The document also functions as a link farm, embedding numerous other links, many of which point to Shopify domains, likely to obscure the malicious intent and evade detection. The ML classifier strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=yennai+arindhaal+torrent
    • https://cdn.shopify.com/s/files/1/0428/8688/9625/files/zedesanolowigokosakivu.pdf
    • https://cdn.shopify.com/s/files/1/0433/5943/6968/files/13627891369.pdf
    • https://cdn.shopify.com/s/files/1/0431/7511/6964/files/goronawom.pdf
    • https://cdn.shopify.com/s/files/1/0435/3271/4135/files/series_and_parallel_circuits_workshe.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xovigaza.pdf
    • https://static.usrfiles.com/ugd/ae059d_b3c42c31abde488a9be9f5e4d9a15c19.pdf
    • https://static.usrfiles.com/ugd/9219f8_227a670623834935bf86822260bdf456.pdf
    • https://static.usrfiles.com/ugd/b8c837_c76a66380c9f4b50990411721f5d42fe.pdf
    • https://static.usrfiles.com/ugd/b8c837_047d7581b34d4ac0aea64f87fae868b6.pdf
    • https://static.usrfiles.com/ugd/b8c837_84e9cb0a2e9c485fb7883d8ff08fdfe1.pdf
    • https://static.usrfiles.com/ugd/a467d2_83ecdccc61054d7c8b2b02fc09d3ac8b.pdf
    • https://static.usrfiles.com/ugd/b8c837_e1a357972d654b30a6875ce4de228798.pdf
    • https://cdn.shopify.com/s/files/1/0431/2940/5600/files/40967370538.pdf
    • https://cdn.shopify.com/s/files/1/0433/4256/1433/files/reporting_car_accident_online.pdf
    • https://cdn.shopify.com/s/files/1/0430/0043/0746/files/babizimaxotopabebuwigutu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/33078626275.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006107.bin
29b89848bcee1279facb29c5529b2fed3b0589b26a6c38ee78061de239c2de26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6107 4696 bytes
font_01_sfnt_off000070ec.bin
a9b77b7f60dc84e41068714ab9d2ebd339983d3bdefa64c17314aae9378991d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70EC 10608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.