Malicious PDF — malware analysis report

Static analysis result for SHA-256 6edeb9b7565da1ea…

MALICIOUS

PDF

154.1 KB Created: 2020-09-19 13:12:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82ac81303edd496650e255839eebe5cb SHA-1: 654b28d9138fdcec5d4471ae98283f6674a9c0c2 SHA-256: 6edeb9b7565da1eac91c9699298731f71b47f82728ba38606f40b032c5388fd1
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, ttraff.ru, which is highly indicative of malicious intent. The ML classifier also strongly flagged this PDF. While no scripts were explicitly extracted, the presence of embedded URLs and the malicious redirector suggest the PDF is designed to lure users to a compromised site, likely for phishing or to download further malware. The document body is heavily obfuscated and appears to be generated by wkhtmltopdf, suggesting it's not intended for direct user reading but rather as a container for the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=%25D8%25B3%25D9%258A%25D8%25B1%25D9%2581%25D8%25B1%25D8%25A7%25D8%25AA+%25D9%2585%25D8%25A7%25D9%258A%25D9%2586+%25D9%2583%25D8%25B1%25D8%25A7%25D9%2581%25D8%25AA+%25D9%2584%25D9%2584%25D9%2583%25D9%2585%25D8%25A8%25D9%258A%25D9%2588%25D8%25AA%25D8%25B1
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://6a7e355f-4511-431e-9e70-ccd2107b0b1f.filesusr.com/ugd/5bb01c_3dc57a3cc4b046cc914da34ce887bb8e.pdf?index=true
    • https://7a114877-c9c1-4e86-b9e8-a73a65e46c97.filesusr.com/ugd/c88839_0e97eda60dc142228296c769e8ca3fdb.pdf?index=true
    • https://9bd1fe36-5d5d-4113-8acf-696047e52a76.filesusr.com/ugd/6f9b04_f9ba2c76c4234f6b9a0c9b14299b0f33.pdf?index=true
    • https://c578c9a1-3c19-4fd9-993b-7949af91964a.filesusr.com/ugd/98d33d_6b9e81965bdc48a4acb5fe1c4798abd7.pdf?index=true
    • https://fe0b7353-4862-44ee-83a8-63546614c6b9.filesusr.com/ugd/866690_659889fa492e4a328e7b7eddffcbf727.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/0127/3758/files/90499846982.pdf
    • https://5ef4c70e-b63b-4dd7-9ec7-5f6de70a8880.filesusr.com/ugd/3fd21f_3ad04c381c3b4cc7971ef40515b02b5b.pdf?index=true
    • https://76546957-ced0-4970-abc9-c4a7d2e186a2.filesusr.com/ugd/b926a8_2d5f19313d9c456d8eff3a26eb21ce3a.pdf?index=true
    • https://758827ca-2812-4e35-a28b-571eae81dcf6.filesusr.com/ugd/cece23_980381ff478e49dcb7aa58ff5bf956eb.pdf?index=true
    • https://a608d755-0819-4500-907a-1d2bce082419.filesusr.com/ugd/ae059d_2a1fb2012ded4f1e832b8f0d3b13a9ab.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/0127/3758/files/kemiderebato.pdf
    • https://cdn.shopify.com/s/files/1/0483/1123/8819/files/13469297559.pdf
    • https://cdn.shopify.com/s/files/1/0428/7099/7151/files/tipofeloz.pdf
    • https://cdn.shopify.com/s/files/1/0430/6737/5777/files/29095335395.pdf
    • https://cdn.shopify.com/s/files/1/0438/4774/5698/files/jutibivenopuxerudoxidedet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00021cf9.bin
5409e74ff473d3b7eec1c6266a21de68d5a77fc56e3eb888d81e6d629c5e56fd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21CF9 33440 bytes
font_00_sfnt_off0001abd0.bin
8820af67dab28461c3733bdaa7b331925867dfa18397ddf4c112174cc962db1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ABD0 4068 bytes
font_01_sfnt_off0001b9ab.bin
374e1bc11049e2750aa53ff29b446c0e843747e6ee03840a29de6d159c99b266		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B9AB 2316 bytes
font_02_sfnt_off0001c392.bin
0303389257006ef34267af7c00867e17e7ff24e933f2e64295890f6d286674d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C392 1820 bytes
font_03_sfnt_off0001cc79.bin
fe3d9de5d835018e99a5de0dab149c7b53670626b7bc82aa50635c8793d76c62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CC79 17564 bytes
font_04_sfnt_off00020155.bin
f2836f5860936dbe19c616e27bfe114459761cfce2751ad86daf4ca76c79507c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20155 18236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.