Malicious PDF — malware analysis report

Static analysis result for SHA-256 919832530a5f84a6…

MALICIOUS

PDF

66.4 KB Created: 2020-08-31 01:22:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a0403834efb4201e2e8bf1cd34cb917e SHA-1: edaacc4f0fa7ca7474851ef0bbac7fae8bf0f146 SHA-256: 919832530a5f84a651a19969be88de617b30b245b6d2239afa24b41791a189ce
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. The document body, though heavily obfuscated, also contains this URL. The presence of a link farm heuristic further suggests malicious intent, likely to drive traffic to malicious infrastructure. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=carte+continents+et+oc%2525C3%2525A9ans+vierge+a+imprimer
    • https://cdn.shopify.com/s/files/1/0431/6659/7288/files/buguvodubiwibaranu.pdf
    • https://cdn.shopify.com/s/files/1/0430/6714/6397/files/vowalipozuzegulejasax.pdf
    • https://cdn.shopify.com/s/files/1/0436/6503/1321/files/23099227603.pdf
    • https://cdn.shopify.com/s/files/1/0432/4950/0315/files/zewusajimifo.pdf
    • https://cdn.shopify.com/s/files/1/0438/9784/7976/files/msc_business_information_systems_management_middlesex_university.pdf
    • https://cdn.shopify.com/s/files/1/0427/7665/8087/files/binary_code_generator.pdf
    • https://cdn.shopify.com/s/files/1/0434/1740/3549/files/vufipuberegukilefibexafel.pdf
    • https://cdn.shopify.com/s/files/1/0431/5312/9640/files/php_current_year.pdf
    • https://cdn.shopify.com/s/files/1/0431/7937/6798/files/hofmann_bromamide_reaction.pdf
    • https://cdn.shopify.com/s/files/1/0432/8374/2884/files/ectomorph_transformation_3_months.pdf
    • https://cdn.shopify.com/s/files/1/0430/1501/2511/files/62767515635.pdf
    • https://cdn.shopify.com/s/files/1/0432/3459/0878/files/alimentos_ricos_en_hierro_minsa.pdf
    • https://cdn.shopify.com/s/files/1/0428/2885/7503/files/dajisapotojeniwetubusiwij.pdf
    • https://cdn.shopify.com/s/files/1/0431/0745/1029/files/kexuzobeloxupolisironez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bc91.bin
48cafe961b9f37404e42e8e5cfc78c829d810de24b387a2b2d1989352b552d67		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC91 5328 bytes
font_01_sfnt_off0000ce62.bin
aa440abb646f65f71d80a9672f4a5c6bd3fdbaf73eceab8fff24a348b21f44e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE62 13816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.