Malicious PDF — malware analysis report

Static analysis result for SHA-256 59d5ffcb12f0eeba…

MALICIOUS

PDF

53.9 KB Created: 2020-08-29 02:22:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa1e64ca2ad3cc1c015e4ddac9926d1c SHA-1: 1d447e7e9f30896d6767319b32238836df5cdcb5 SHA-256: 59d5ffcb12f0eebae3491e5b7c736383fb31257b1fc5748651e9ee901677e9bf
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, including one pointing to a known malicious redirector at 'ttraff.ru'. The document body, though partially corrupted, appears to be a lure for a book search, aiming to trick users into clicking the malicious link. The presence of a PDF link farm heuristic further supports the malicious intent of distributing links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=out+of+my+mind+sharon+draper+free+pd
    • https://static.usrfiles.com/ugd/b8c837_dc3bc6cf448b46d28de180040076090d.pdf
    • https://static.usrfiles.com/ugd/b8c837_5784fc09946c43cf9efc5ff985258230.pdf
    • https://static.usrfiles.com/ugd/b8c837_e2aa5f7c293f40e8a49fb8af0b84d0d0.pdf
    • https://static.usrfiles.com/ugd/b8c837_9697dd7740e74475badebf05d2c73e82.pdf
    • https://static.usrfiles.com/ugd/b8c837_ffe5f4d356c04db99c343782e2aaf3dc.pdf
    • https://static.usrfiles.com/ugd/b8c837_d0be39a27b6f43e6b04ff5b4aae01d85.pdf
    • https://static.usrfiles.com/ugd/b8c837_2dc492b0b03549709b0c968f3d0f165c.pdf
    • https://static.usrfiles.com/ugd/b8c837_6ac85aa85a6c4456be04a1ff789b1937.pdf
    • https://static.usrfiles.com/ugd/b8c837_6ab057cb3f5448f79db5af0863f7287d.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa7970f8d3f5486ba68204eadbf8bc0c.pdf
    • https://static.usrfiles.com/ugd/b8c837_be8c6e44e0eb45b0aca01196cf3274ec.pdf
    • https://static.usrfiles.com/ugd/b8c837_3091be05b41e4d6ea2f3744bc94c4288.pdf
    • https://static.usrfiles.com/ugd/b8c837_ec3d689228164c1db9f51abafd93d476.pdf
    • https://static.usrfiles.com/ugd/b8c837_f4f23902e277478ba0bae8527c0f597e.pdf
    • https://static.usrfiles.com/ugd/b8c837_f53f307fa0df48128f1fe8f7a253689a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009468.bin
1869391ecca1ab87a43852de083930a6cf8d6bc5fc28154ea3c1db6a87fdc4ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9468 5376 bytes
font_01_sfnt_off0000a692.bin
9690c5b779b0a57e5e7c76dd71e630ee6636343441e48b56b200f88b31580833		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA692 10596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.