Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e629c316df29205…

MALICIOUS

PDF

87.4 KB Created: 2020-09-07 08:39:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b73bfe3aa5502fceaf0c11e1eaf352ca SHA-1: 10c1c23072d3f27eda03b067a1803336d54625ad SHA-256: 7e629c316df292050040cd6fa5b2e09b586c77428e9ba9433a02200901914ec0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a link farm. The primary URL identified, https://ttraff.ru/wix?keyword=real+bike+racer+battle+mania+game, is a known malicious redirector. The document body, though heavily obfuscated, contains this URL, suggesting it is the intended lure. The presence of numerous links to external PDFs, many hosted on Shopify, indicates a strategy to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=real+bike+racer+battle+mania+game
    • https://cdn.shopify.com/s/files/1/0433/2909/3800/files/28723949325.pdf
    • https://cdn.shopify.com/s/files/1/0430/6318/1463/files/6738516950.pdf
    • https://cdn.shopify.com/s/files/1/0438/7104/3739/files/christ_ambassadors_choir_songs.pdf
    • https://cdn.shopify.com/s/files/1/0434/5485/7377/files/80478741091.pdf
    • https://cdn.shopify.com/s/files/1/0432/2482/6014/files/35411106820.pdf
    • https://static.usrfiles.com/ugd/6fd45c_1787d9507369470ea005469c37d3072e.pdf
    • https://static.usrfiles.com/ugd/685707_cae5e7b43bbe4032b80de6c474fb12ba.pdf
    • https://cdn.shopify.com/s/files/1/0458/6605/7881/files/area_of_parallelogram_worksheet_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/86372263330.pdf
    • https://cdn.shopify.com/s/files/1/0440/7663/0181/files/aprendizajes_clave_primaria_primer_grado.pdf
    • https://cdn.shopify.com/s/files/1/0433/7503/4524/files/3022667836.pdf
    • https://cdn.shopify.com/s/files/1/0435/5755/2277/files/interpreter_vs_compiler_vs_assembler.pdf
    • https://cdn.shopify.com/s/files/1/0438/1864/7709/files/44376411215.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100d4.bin
a19c079de6e952eb9d65ee2e8ad9be7547a735a237323fcaf3b428fea983a98b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100D4 5152 bytes
font_01_sfnt_off00011251.bin
b83ede265df67e4d3c9898256934d90fe51005f80e6c5bf1bc0ec86824ecd904		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11251 12016 bytes
font_02_sfnt_off00013a86.bin
d69de8ccc152775e01e4405aff28cc241a43865bbf679844daaadf1ef2f0a3f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A86 16356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.