Malicious PDF — malware analysis report

Static analysis result for SHA-256 9eb43bc97b8dceef…

MALICIOUS

PDF

67.5 KB Created: 2020-07-29 19:11:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fabcdef8ef5d0bb8b4a05cfe623b2912 SHA-1: 9987b840949f37c9721686b7cf3d4c3eb4a48b7c SHA-256: 9eb43bc97b8dceeff15e725fbfdddefb884b7d523875f54d1b683721e3544b7e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating it's a malicious redirector link farm. The primary malicious URL identified is ttraff.ru, which is used in conjunction with a keyword suggesting a lure for information about neonatal pneumonia. The document body, though heavily obfuscated, contains metadata related to PDF creation and the keyword used in the URL, reinforcing the lure. The presence of a large number of external links, many hosted on Shopify, suggests an attempt to distribute traffic or host malicious content across multiple domains.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=neumonia+neonatal+pdf
    • http://files.vibrant-energies.com/uploads/1/3/0/8/130873907/nomadu.pdf
    • http://files.sv-integrity.com/uploads/1/3/1/3/131380850/pilumobafuxepev.pdf
    • http://files.testingequipmentstore.com/uploads/1/3/1/4/131455832/talutekavut-kudareko.pdf
    • https://cdn.shopify.com/s/files/1/0437/7640/9751/files/fesusajogawivotibala.pdf
    • https://cdn.shopify.com/s/files/1/0429/9682/6273/files/jozatamumalipirekunanuvuk.pdf
    • https://cdn.shopify.com/s/files/1/0431/0423/9770/files/94466162878.pdf
    • https://cdn.shopify.com/s/files/1/0429/2093/5590/files/xigaxuzogalunivepop.pdf
    • https://cdn.shopify.com/s/files/1/0433/6012/5080/files/45072901164.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/32773531818.pdf
    • https://cdn.shopify.com/s/files/1/0431/1003/9719/files/49500436785.pdf
    • https://cdn.shopify.com/s/files/1/0429/7624/7971/files/19282009970.pdf
    • https://cdn.shopify.com/s/files/1/0432/0041/3856/files/bedojapoku.pdf
    • https://cdn.shopify.com/s/files/1/0440/6244/1637/files/79820947207.pdf
    • https://cdn.shopify.com/s/files/1/0433/4636/2533/files/vivap.pdf
    • https://cdn.shopify.com/s/files/1/0430/3316/5986/files/kutize.pdf
    • https://cdn.shopify.com/s/files/1/0432/1171/8820/files/zidufuxofup.pdf
    • https://cdn.shopify.com/s/files/1/0432/4923/8184/files/mizejo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009071.bin
4200db6c0e80cadcb5e6095e2db64c6b33cb2c0480475197fd4329a98774db8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9071 6548 bytes
font_01_sfnt_off0000a0b7.bin
8b69ad8bf8706a8de8604f0485c67fb25a23b24d50174afbb8bbf061f3c53837		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0B7 1684 bytes
font_02_sfnt_off0000a91b.bin
adb3277dfff81f07972f445adb9554df18526e3715a284cc58dfccfd531dcaa0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA91B 4764 bytes
font_03_sfnt_off0000b93d.bin
1df2ef9400933de245c12b7b7c1e910bb37d4b5b3a043ec557b29639fdb53413		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB93D 15956 bytes
font_04_sfnt_off0000ea7a.bin
c41fc46809d2260d2d1a821cef6bb00dae560fdbad380da94a93f29d012df54e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA7A 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.