Malicious PDF — malware analysis report

Static analysis result for SHA-256 98a3d6f6c65a900f…

MALICIOUS

PDF

39.5 KB Created: 2020-09-02 22:08:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b665a2a003d532eb116fe137fc980ee7 SHA-1: fe2fe36676bd70f6e4705d66396df1cba0f07c18 SHA-256: 98a3d6f6c65a900f987379e1ccdcf861383afeebc78721216ddd32a860eb9137
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is disguised as a 'badger 5 disposal manual'. This suggests a phishing or social engineering attack aimed at redirecting the user to malicious content. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the presence of the malicious link and the PDF structure indicate a likely attempt to lure the user to a compromised site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=badger+5+disposal+manual
    • https://static.usrfiles.com/ugd/77941b_05e18fca6a0c4e1192d5e34e835742bb.pdf
    • https://static.usrfiles.com/ugd/66f7a0_11fe1c4f0e32443ca8e53066e4bc53bb.pdf
    • https://static.usrfiles.com/ugd/7e6083_83b2da2ed9ed4bea843ca5dbc0b21079.pdf
    • https://static.usrfiles.com/ugd/e2b09b_568ba7a27fad4143a986c293fa6e6bc5.pdf
    • https://cdn.shopify.com/s/files/1/0428/5841/4236/files/80635246448.pdf
    • https://cdn.shopify.com/s/files/1/0435/6905/3854/files/55046974187.pdf
    • https://cdn.shopify.com/s/files/1/0432/6955/4329/files/bolopam.pdf
    • https://cdn.shopify.com/s/files/1/0435/9415/4146/files/48313315812.pdf
    • https://cdn.shopify.com/s/files/1/0430/5531/7149/files/91478859116.pdf
    • https://cdn.shopify.com/s/files/1/0432/8387/3942/files/79656160706.pdf
    • https://cdn.shopify.com/s/files/1/0431/1387/3569/files/1149058203.pdf
    • https://cdn.shopify.com/s/files/1/0435/9146/7176/files/4095061707.pdf
    • https://cdn.shopify.com/s/files/1/0462/7061/1613/files/dance_battle_video_hd.pdf
    • https://cdn.shopify.com/s/files/1/0430/8910/0957/files/bercow_report_summary.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b9a.bin
3f24cfff0b0efc1e44386a9a71fb614140a4bf642907abab7f98a01f7a450f9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B9A 5452 bytes
font_01_sfnt_off00006e10.bin
bf6d74068b6bd00cfcfb44c568b7f9fee9685abbe72d7ab07ae32458b481e9c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E10 10656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.