Malicious PDF — malware analysis report

Static analysis result for SHA-256 90123ae202c9f661…

MALICIOUS

PDF

43.1 KB Created: 2020-08-31 09:11:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2b25fda3a41ed7db7075906b61207d16 SHA-1: cdccf6b79daf5bdd06bb2e5d8a0a159896fac1fc SHA-256: 90123ae202c9f6612624d25467811545745346f9c083d23ccb04e4340115da90
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/wix?keyword=trane+xl80+furnace+parts+diagram'. The document body, though heavily obfuscated, appears to contain keywords related to 'Trane xl80 furnace parts diagram' and includes the malicious URL, suggesting a lure to a malicious site. The PDF also contains a large number of embedded links, many pointing to Shopify domains, which is indicative of a link farm used for SEO poisoning or to obscure the final malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=trane+xl80+furnace+parts+diagram
    • https://cdn.shopify.com/s/files/1/0433/2758/6457/files/ap_sachivalayam_notification_2020.pdf
    • https://cdn.shopify.com/s/files/1/0432/0667/2546/files/koralode.pdf
    • https://cdn.shopify.com/s/files/1/0435/7786/8443/files/alternative_to_lightroom_android.pdf
    • https://static.usrfiles.com/ugd/b8c837_9e0065230e734c89bf394a82127e6c96.pdf
    • https://static.usrfiles.com/ugd/9e41f0_511c820a2ccb40f483f60ef1cc5c3093.pdf
    • https://static.usrfiles.com/ugd/0df15e_d7e96d0ae55d4d2b8e9aba926b019c4a.pdf
    • https://static.usrfiles.com/ugd/c618e9_c18d829f35d146329562b4c8a2c31611.pdf
    • https://cdn.shopify.com/s/files/1/0428/4314/4359/files/bumasanazid.pdf
    • https://cdn.shopify.com/s/files/1/0431/2491/6388/files/8655145976.pdf
    • https://cdn.shopify.com/s/files/1/0428/2341/8019/files/28006396613.pdf
    • https://cdn.shopify.com/s/files/1/0432/5523/4710/files/carro_rojo_de_emergencia_definicion.pdf
    • https://cdn.shopify.com/s/files/1/0436/8944/3493/files/bts_world_game_apk.pdf
    • https://static.usrfiles.com/ugd/469aea_24f3590f8516469a98ad30f3742bd67f.pdf
    • https://static.usrfiles.com/ugd/f14cf6_dacb0d84e9b74df5922230312bce3777.pdf
    • https://static.usrfiles.com/ugd/dd4472_636d488db45b46e4a9d75803b8c26c47.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005af8.bin
f1fb2bf33b7d416e848456766673fe96b9716630f540765a2fb89901a9c6e579		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AF8 5600 bytes
font_01_sfnt_off00006de6.bin
48c807ddef2849ab3bc930d070e009d91276addc8d62c69f72f3bcc3321b2046		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DE6 10376 bytes
font_02_sfnt_off00009166.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9166 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.