Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bd6714cdaeaa22e…

MALICIOUS

PDF

41.5 KB Created: 2020-08-20 07:46:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00b341150b9834f278ebfb0f73f30d9f SHA-1: 56aba960badaf39c789bf11f1a8cc3bbacd624e0 SHA-256: 9bd6714cdaeaa22e9b8681a0bed87fd55b564ce62953627c0801212c08d07324
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.ru' with a keyword suggesting a lure for Salesforce users. The document body, though heavily obfuscated, also contains this URL and numerous other links, many pointing to Shopify, which is flagged as a PDF link farm. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be directing users to malicious infrastructure via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=attach+file+to+email+template+salesforce
    • http://files.stormh20bmp.com/uploads/1/3/1/6/131606733/wakuxuwerisigojemefa.pdf
    • https://cdn.shopify.com/s/files/1/0437/1775/5034/files/autocab_ghost_user_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/1613/4551/files/anaemia_definition.pdf
    • https://cdn.shopify.com/s/files/1/0431/0391/2098/files/soundtrack_abyss_drama_korea.pdf
    • https://cdn.shopify.com/s/files/1/0434/0822/8508/files/craiglist._org_palm_springs.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/35022180152.pdf
    • https://cdn.shopify.com/s/files/1/0433/0048/7332/files/22448852761.pdf
    • https://cdn.shopify.com/s/files/1/0435/6525/2771/files/intern_survival_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gumuwajufutoz.pdf
    • https://cdn.shopify.com/s/files/1/0461/0690/2691/files/fumogedanapor.pdf
    • https://cdn.shopify.com/s/files/1/0428/5943/0047/files/29229892468.pdf
    • https://cdn.shopify.com/s/files/1/0427/9032/2335/files/ctet_answer_key_2020_paper_2_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b66.bin
c672abfa608261e05f6dd3d7a1a7732272fdf74efbc0044f0e02fe5374e53430		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B66 5244 bytes
font_01_sfnt_off00006d11.bin
3969ae375bcccd876ca8e447f730234081e73a3a874008bbbffdb4d0a35143fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D11 13908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.