Malicious PDF — malware analysis report

Static analysis result for SHA-256 90fdb0f7140986d5…

MALICIOUS

PDF

83.1 KB Created: 2020-09-02 14:18:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 978c5b710b577c5180010ec555d27770 SHA-1: d0a5ff4fbabde67de333b8a693082be859885846 SHA-256: 90fdb0f7140986d585565a41fdf5bc04070e080e3b86eeb0349465aa64a4a335
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, with a critical heuristic firing for PDF_SEO_LINK_FARM. One of these links, https://ttraff.ru/wix?keyword=kelly+rowland+commander+mp4, is flagged as malicious by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body contains garbled text but includes the malicious URL, suggesting a lure to a potentially malicious site. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=kelly+rowland+commander+mp4
    • https://cdn.shopify.com/s/files/1/0430/1612/6625/files/pesasotiluvo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/95509007145.pdf
    • https://cdn.shopify.com/s/files/1/0432/6286/9670/files/garden_answer_limelight_hydrangea.pdf
    • https://cdn.shopify.com/s/files/1/0428/3164/2780/files/3454340697.pdf
    • https://cdn.shopify.com/s/files/1/0437/0753/1414/files/paxulamubex.pdf
    • https://cdn.shopify.com/s/files/1/0429/9587/5989/files/49030923832.pdf
    • https://static.usrfiles.com/ugd/115d6e_542e8c78ab1144ee9555612e59a65223.pdf
    • https://static.usrfiles.com/ugd/362633_4dea78a9bc24439ab617c62e7a9e4a8e.pdf
    • https://static.usrfiles.com/ugd/5be868_ef32cbf0c10f40bfacb008d5ca29263b.pdf
    • https://static.usrfiles.com/ugd/bb05c1_8a91280e619c467db3133cb0aefd4f14.pdf
    • https://static.usrfiles.com/ugd/cc3ca9_00d9919a01ed4a2c92056ef841ab915d.pdf
    • https://static.usrfiles.com/ugd/f09a9d_558347b3da324240bc36c0832ebe6893.pdf
    • https://static.usrfiles.com/ugd/0b46e6_5182739eaebb4b7292c7141619280d46.pdf
    • https://static.usrfiles.com/ugd/b0b521_b9638091fdf3428182219ab365e5e508.pdf
    • https://static.usrfiles.com/ugd/b8c837_c59f01c313944bd89b6c6d5c60b9c983.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e81d.bin
cb9d831e07319cca252f9e135f4ec0288d68090b38ea2fd3adb87419192c0716		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE81D 5292 bytes
font_01_sfnt_off0000fa2b.bin
edc22c9a805449c40dbb432fa74067a55d1f6c56c2a844c9c87c3925df2fdc31		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA2B 11268 bytes
font_02_sfnt_off00011fe8.bin
9e8409b995ac2b0bb76eb3eb8dd1c90fa55d1c1c8a40bb5daa08ca4080948d13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FE8 18776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.