Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d3fc2c9e2075de4…

MALICIOUS

PDF

80.3 KB Created: 2020-09-19 06:58:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a99c72f422c62fc347a1567ae447d10 SHA-1: e62fdd2ad796e84d799be8be7d9add47946e8f74 SHA-256: 9d3fc2c9e2075de424caab58e353b8030a9bd01559fb821402409d1750ef0bcf
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. Additionally, another critical heuristic indicates a PDF link farm, suggesting an attempt to artificially inflate search engine rankings or distribute links. The ML classifier also strongly flagged this PDF as malicious. The document body contains the same redirector URL, reinforcing its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=chief+administrator+example+sentence
    • https://01cbe456-fa3f-4567-838e-59f302007cbc.filesusr.com/ugd/0c8cc8_68fad3188276428db6cb9840da2f55d4.pdf?index=true
    • https://fc42994b-c010-497a-a187-c237fe45993b.filesusr.com/ugd/8e7730_cd452a354b8342babf776e1e7789281c.pdf?index=true
    • https://5d3e2aa1-c6db-4078-bde8-17363c862476.filesusr.com/ugd/a382ee_4cd215d6e1694516ba81bda7025746cb.pdf?index=true
    • https://6f0717a3-2b5c-4e36-8312-3f1142d8aa92.filesusr.com/ugd/f51585_7ac4fb5d873f4a56a68cb143bc04b0e8.pdf?index=true
    • https://05796205-362a-48d1-b911-815fb0b427a6.filesusr.com/ugd/895bef_07ee54c9f57a4a1d82b2e81737b0468f.pdf?index=true
    • https://1efe569a-dbbc-480d-8210-7d10e491cc4c.filesusr.com/ugd/1e4819_e4fd9dc800a045f09c7a3030ceed79a8.pdf?index=true
    • https://5712eed7-d910-4ae5-87d3-5b6c7b616ea4.filesusr.com/ugd/59deca_7366ee93ee5949e98a6cb056c57fdedf.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0435/1623/1840/files/flywheel_energy_storage_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/2301/5841/files/sosugudejave.pdf
    • https://cdn.shopify.com/s/files/1/0438/4741/8016/files/27362165062.pdf
    • https://cdn.shopify.com/s/files/1/0432/4782/9156/files/niwud.pdf
    • https://cdn.shopify.com/s/files/1/0439/3543/2859/files/fetemudomusibavoni.pdf
    • https://cdn.shopify.com/s/files/1/0438/2880/5789/files/tajon.pdf
    • https://cdn.shopify.com/s/files/1/0432/0080/7067/files/98981649831.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/8861538602.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fdb9.bin
c23d8bdd93c3aac56ca0c489ebf94dd4f5193d0ed6d0d6abcac276e4dde59b12		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDB9 5368 bytes
font_01_sfnt_off00010fd4.bin
2752ea3b1745568b7254642e4faff8d2a2711ea9930a14f5fcf8ea1c708ee352		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FD4 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.