Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bde06c14f4cd99b…

MALICIOUS

PDF

45.5 KB Created: 2020-08-31 15:15:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c65183bf211a9c5ceba3f3d99686b795 SHA-1: c7fd0d691a838156a5a32daf09f436f5ee04b998 SHA-256: 9bde06c14f4cd99b3a23b9c0196dba9ac9a089153b1479e0298ecab3dced7bdd
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. It also exhibits a PDF link farm heuristic, with numerous links to external PDFs, many hosted on Shopify. The ML classifier strongly flagged this PDF as malicious. The primary attack vector appears to be directing users to malicious infrastructure via the 'ttraff.ru' URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=crioterapia+espasticidad+pdf
    • https://cdn.shopify.com/s/files/1/0440/4386/2181/files/dragon_quest_11_game_guide_book.pdf
    • https://cdn.shopify.com/s/files/1/0436/3173/9033/files/kepavasuvukebuvapiremepe.pdf
    • https://cdn.shopify.com/s/files/1/0438/3935/7093/files/new_york_city_street_map_app.pdf
    • https://cdn.shopify.com/s/files/1/0429/2991/4012/files/44068710281.pdf
    • https://cdn.shopify.com/s/files/1/0428/4055/5676/files/clinical_nutrition_assessment.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/luzugojozawok.pdf
    • https://static.usrfiles.com/ugd/764aaa_97eee8223f4d4ec0a34c68a9e34db15b.pdf
    • https://static.usrfiles.com/ugd/b8c837_e7472894cf8c4921895d0f1fdb15bfad.pdf
    • https://cdn.shopify.com/s/files/1/0439/3569/5016/files/67666684163.pdf
    • https://cdn.shopify.com/s/files/1/0428/9275/5111/files/search_iphone_chrome.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076aa.bin
33d82255a879c0bf40338ee4bad86838556e8adf4c0249c408f4b350108a653d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76AA 5024 bytes
font_01_sfnt_off000087c9.bin
499bfd4bf3d734ce9dc0ab22ddb0d5e4a805363c9108d919b6684f12d8f16c8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87C9 9996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.