Malicious PDF — malware analysis report

Static analysis result for SHA-256 9691a76e623c1ea5…

MALICIOUS

PDF

118.7 KB Created: 2020-09-01 08:26:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2688fbcf79543931ee413c55765bef6b SHA-1: 489f39dc1ad21d7398346640baea06d98a3f4f3f SHA-256: 9691a76e623c1ea59456e669ba5a571a256ae909eacb425695ba8c82033361b1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=11th+half+yearly+answer+key+2018+commerce'. This URL is presented within the document body, disguised as an academic answer key. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on Shopify. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=11th+half+yearly+answer+key+2018+commerce
    • https://cdn.shopify.com/s/files/1/0438/0655/6322/files/71228022305.pdf
    • https://cdn.shopify.com/s/files/1/0434/7337/1300/files/wogexime.pdf
    • https://cdn.shopify.com/s/files/1/0429/7018/5879/files/19145986097.pdf
    • https://cdn.shopify.com/s/files/1/0432/6621/2003/files/96826475578.pdf
    • https://cdn.shopify.com/s/files/1/0449/4072/2331/files/43974077669.pdf
    • https://cdn.shopify.com/s/files/1/0433/0065/1158/files/analytical_chemistry_lecture_notes.pdf
    • https://cdn.shopify.com/s/files/1/0430/4958/2743/files/bajujufejo.pdf
    • https://cdn.shopify.com/s/files/1/0433/2371/9845/files/fozejujivorazajolezafan.pdf
    • https://static.usrfiles.com/ugd/0ad6c7_7fafe0ae0e0042e6b91acd777f32c764.pdf
    • https://static.usrfiles.com/ugd/73c254_e2a1d92ec1ad434f83de6224d3a6860a.pdf
    • https://static.usrfiles.com/ugd/b8c837_b71340a52ce44950926d405c7b26cc05.pdf
    • https://static.usrfiles.com/ugd/f8de3e_56399ad724d0405582f52b3e2820c1b6.pdf
    • https://static.usrfiles.com/ugd/0dcf4b_9839b313b1d4459cb67569532b64153a.pdf
    • https://cdn.shopify.com/s/files/1/0437/7070/8125/files/passive_voice_exercises_all_tenses_multiple_choice.pdf
    • https://cdn.shopify.com/s/files/1/0460/1590/5951/files/ninja_foodi_grill_reviews_consumer_reports.pdf
    • https://cdn.shopify.com/s/files/1/0431/4257/8332/files/substitution_and_elimination_method.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off000142de.bin
737ef20a416abef8e2cb2d2ec4c86a3342d232af62a10e38dad4aa3ba84c5959		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x142DE 19852 bytes
font_00_sfnt_off00012f28.bin
caed9cac0be06c3507def36df6e8a12c27b4b94aceb76921daed587edc2f526b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F28 5804 bytes
font_02_sfnt_off00016e27.bin
4a7a17ef0ba0b87d3101fb253220c21ebf70d31c9b38729fcc60725578a726a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16E27 1944 bytes
font_03_sfnt_off0001776f.bin
0902c217bb1d0ea438814d191092d2c0a18ddacc9d4b2b84ebcbeb26f6043056		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1776F 15684 bytes
font_04_sfnt_off0001a7af.bin
de5c7ed3f16be387c0962559da2342044f09b04d2ca5c65987e2e5d33df107e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A7AF 16364 bytes
font_05_sfnt_off0001bdf8.bin
073fd8bcb6a4a9cf29945da93fd585e43e57c91e3c4a97b2a807004dc19c0537		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BDF8 3616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.