Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b295bff908dba5f…

MALICIOUS

PDF

46.0 KB Created: 2020-08-07 06:23:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ae0d8670932354b67a6a5af7b8f65d9 SHA-1: a5dc61fa921ae600c43829b66fea6a690dbb07e4 SHA-256: 6b295bff908dba5f67315f69fcb1d221312885ef5ce6ec1c9527554f248350e5
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document contains numerous links, many pointing to what appears to be a link farm designed for SEO manipulation. One critical finding indicates a link to known malicious redirector infrastructure at 'https://ttraff.ru/pify?keyword=german+grammar+books+for+beginners+pdf'. Additionally, heuristics suggest a lure for remote support tools, indicating a potential pretext for further compromise. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=german+grammar+books+for+beginners+pdf
    • http://files.fineartssociety.net/uploads/1/3/1/6/131636819/loxulufox-bukinib-fijew.pdf
    • http://files.gilchristwhatnot.com/uploads/1/3/0/9/130969545/c76008.pdf
    • http://files.laviishluxxe.com/uploads/1/3/0/7/130775942/1a41a3f.pdf
    • http://files.railwayterraceselfcatering.com/uploads/1/3/0/8/130873893/fuxisunijikezupenozi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0427/4028/5607/files/23144816445.pdf
    • https://cdn.shopify.com/s/files/1/0428/5458/0391/files/50961486509.pdf
    • https://cdn.shopify.com/s/files/1/0428/4035/9068/files/pawejatogiw.pdf
    • https://cdn.shopify.com/s/files/1/0429/1775/7095/files/fancy_nancy_coloring_pages.pdf
    • https://cdn.shopify.com/s/files/1/0433/2571/8678/files/runuterodexojelikavevigeb.pdf
    • https://cdn.shopify.com/s/files/1/0435/5942/0063/files/90248582030.pdf
    • https://cdn.shopify.com/s/files/1/0435/4975/3507/files/veroxefobodeludisatubaxu.pdf
    • https://cdn.shopify.com/s/files/1/0430/3549/2503/files/95369174348.pdf
    • https://cdn.shopify.com/s/files/1/0432/3019/9966/files/wivimogofuxagid.pdf
    • https://cdn.shopify.com/s/files/1/0432/8266/1526/files/gebozagavezevanafe.pdf
    • https://cdn.shopify.com/s/files/1/0427/8022/9791/files/54548121883.pdf
    • https://cdn.shopify.com/s/files/1/0430/5285/9543/files/xoliz.pdf
    • https://cdn.shopify.com/s/files/1/0434/7097/9237/files/pdf_file_kaise_banayenge.pdf
    • https://cdn.shopify.com/s/files/1/0435/3084/6363/files/72697466474.pdf
    • https://cdn.shopify.com/s/files/1/0430/1219/4463/files/getujetuvazatabesez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000743d.bin
3374d5fe3dff52eddfd06e1c9ec99cb890a5d8ee713349cf1d4bdd8a4db15c01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x743D 5564 bytes
font_01_sfnt_off0000870e.bin
7c61e9401eee2bd73bd700bc7d7b98f7c72e55b72650bcf382f2113f1365fee4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x870E 10508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.