Malicious PDF — malware analysis report

Static analysis result for SHA-256 9527b8b8c8dd81db…

MALICIOUS

PDF

36.9 KB Created: 2020-09-02 01:50:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab6cfbc754095ce3e09a14b2f9844d90 SHA-1: ab6c6847bbf5ed0220fe1eb266f2c0d750dc339f SHA-256: 9527b8b8c8dd81db7e34488345e4e59dab94cba5b4f88b415a7ce9e3fe70058c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link to 'ttraff.ru' is identified as a malicious redirector. This suggests the document is designed to lead users to malicious infrastructure under the guise of providing downloadable content. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=blueprints+neurology+fifth+edition+pdf
    • https://cdn.shopify.com/s/files/1/0428/2623/6071/files/the_emerald_tablets_of_thoth_the_atlantean_download.pdf
    • https://cdn.shopify.com/s/files/1/0461/5520/2723/files/duxasutotetaxipuw.pdf
    • https://cdn.shopify.com/s/files/1/0432/3596/7143/files/islcollective_songs_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0462/0081/5774/files/invoice_template_uk_no_vat_word.pdf
    • https://cdn.shopify.com/s/files/1/0463/2802/1147/files/bsc_nursing_2019_form_date_mp.pdf
    • https://cdn.shopify.com/s/files/1/0441/4029/8392/files/magical_platinum_nerkmid.pdf
    • https://cdn.shopify.com/s/files/1/0428/9318/1081/files/duwutisufudabejazaf.pdf
    • https://cdn.shopify.com/s/files/1/0428/8049/9879/files/jerexopijawusineresuv.pdf
    • https://static.usrfiles.com/ugd/d79848_066a6f32329d48b0852e45e338219250.pdf
    • https://static.usrfiles.com/ugd/87fdc7_69736fe3df934248b71e5c8b13e0f827.pdf
    • https://static.usrfiles.com/ugd/11b39a_e9aad1b6514344fab4448c32244495af.pdf
    • https://static.usrfiles.com/ugd/e02969_ac1501778f104520b772023fad6bfc71.pdf
    • https://static.usrfiles.com/ugd/db1da1_dae4e38ffb7142cd803fdadc911c9585.pdf
    • https://static.usrfiles.com/ugd/c836c3_f43849df11de4e65bb2cb7d4c77a6e36.pdf
    • https://static.usrfiles.com/ugd/d01287_a5368b48884f4b01b5d39e1a1bffdc89.pdf
    • https://static.usrfiles.com/ugd/ceb2e8_cb312982e7c344f690448ef69d1922ca.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000520c.bin
011fce254710b2023e0b93c8aa293d395d0f894ea854dde32ba360a64ef11a2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x520C 5244 bytes
font_01_sfnt_off000063e9.bin
85a7fa7d14c9ce52f3bf1586a170e8ca44e5d562e8e2799e41aef5d063cd31fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63E9 10196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.