Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d0916393ea5960a…

MALICIOUS

PDF

52.9 KB Created: 2020-08-15 05:08:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b5e3ddbe8a45be2652efc6b13b555ce SHA-1: 503f8c0307378457ae4d6fdd870265166d565bd0 SHA-256: 5d0916393ea5960a75c593d15e805f1125dcdcfc39d425d4441d25437d3ea6f0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure, specifically 'ttraff.ru'. The document body, though partially corrupted, contains text related to 'Photoshop cs3 camera raw plugin free' and includes the malicious URL, suggesting a lure for users seeking software. The presence of numerous other PDF links, many pointing to Shopify, indicates a potential link farm or SEO manipulation tactic to distribute the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=photoshop+cs3+camera+raw+plugin+free
    • http://files.rdcpcare.com/uploads/1/3/1/1/131163687/belotab.pdf
    • http://files.childrenscookingclasses.org/uploads/1/3/0/7/130740429/923355.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0434/2952/7709/files/87112872414.pdf
    • https://cdn.shopify.com/s/files/1/0437/7473/8581/files/gonujo.pdf
    • https://cdn.shopify.com/s/files/1/0440/5588/8022/files/behaviorist_theory_in_education.pdf
    • https://cdn.shopify.com/s/files/1/0430/4365/1735/files/lezumukapekuvonelefabibap.pdf
    • https://cdn.shopify.com/s/files/1/0434/6799/7344/files/pdf_to_word_converter_free_with_crack.pdf
    • https://cdn.shopify.com/s/files/1/0429/8617/6665/files/32630280467.pdf
    • https://cdn.shopify.com/s/files/1/0433/1415/1589/files/goxupolesufuvuxuwok.pdf
    • https://cdn.shopify.com/s/files/1/0437/3915/2535/files/ffix_chocobo_hot_and_cold_guide.pdf
    • https://cdn.shopify.com/s/files/1/0429/1824/8601/files/80607127373.pdf
    • https://cdn.shopify.com/s/files/1/0427/4143/2487/files/20295673115.pdf
    • https://cdn.shopify.com/s/files/1/0433/5586/5242/files/beneath_your_beautiful_sheet_music.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000784a.bin
838946858674012ccd075e5f2c1cd0ef98f003b78e228c251efa91bc7f3a6556		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x784A 7176 bytes
font_00_sfnt_off0000657e.bin
abbf65d5b38c42d9f314f9935c391e6857abf035ed68439125eb77f9f4747677		 pdf-font-stream PDF embedded font (sfnt) at offset 0x657E 5568 bytes
font_02_sfnt_off00008bc6.bin
8ce59afe4a78d4b31d0318de27795b55395369547796f58e4d64fd7f60a1dc76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BC6 14056 bytes
font_03_sfnt_off0000b80b.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB80B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.