Malicious PDF — malware analysis report

Static analysis result for SHA-256 79fe758fe75f58e7…

MALICIOUS

PDF

69.8 KB Created: 2020-08-07 15:04:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 05cabb1b51a1ad78ac38d6522b6c08cf SHA-1: f5b504f588e7b3545e4a840aef8c4c0913950b4e SHA-256: 79fe758fe75f58e7d3c2f5b9ce811113310868970730f28443607fd7e96ef1fa
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. The document body, though heavily obfuscated, contains the same URL, suggesting it's the primary lure. The ML classifier also strongly indicated maliciousness. The PDF appears to be a link farm designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=can+calibre+convert+pdf+to+kindle+format
    • http://files.specialnation.org/uploads/1/3/0/7/130775228/6c395ac70421.pdf
    • http://files.caraday.me/uploads/1/3/0/7/130740173/6996428.pdf
    • http://files.galmeychurch.org/uploads/1/3/0/8/130874244/wetewitegoko.pdf
    • https://cdn.shopify.com/s/files/1/0436/6221/3273/files/dupitutaliniv.pdf
    • https://cdn.shopify.com/s/files/1/0436/4884/3934/files/vexet.pdf
    • https://cdn.shopify.com/s/files/1/0427/3831/9527/files/traumatic_brain_injury_journal.pdf
    • https://cdn.shopify.com/s/files/1/0432/3262/4797/files/wakaw.pdf
    • https://cdn.shopify.com/s/files/1/0439/7318/1598/files/loresuli.pdf
    • https://cdn.shopify.com/s/files/1/0434/2225/3208/files/certificate_of_service_icai.pdf
    • https://cdn.shopify.com/s/files/1/0433/3748/2405/files/96401725420.pdf
    • https://cdn.shopify.com/s/files/1/0434/6006/7480/files/lijuzumisezonoxezoketil.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/93336639176.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb7a.bin
2a2e9336ac61ac0ab049f64516a0892a8bb198b28015cec02e7d0e04f0f640dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB7A 5292 bytes
font_01_sfnt_off0000dd6a.bin
dbd62487ba6f646503d418b64834d665fc540368721bc4450a2f924a56c5020b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD6A 13752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.