Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3fe8e26da50e9aa…

MALICIOUS

PDF

43.1 KB Created: 2020-08-21 17:41:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 36bbdc23c0a95a9456f480eaef3e023b SHA-1: b4b3cd09728a7a2e19b0df8cd1a823690ce8c633 SHA-256: a3fe8e26da50e9aaa244ae9058c99d01dc97466496120240ca76faabcca4bdb6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, including one pointing to a known malicious redirector infrastructure at 'ttraff.ru'. The document body and embedded links suggest a lure for software downloads, specifically 'adobe pdf for macbook pro'. The ML classifier strongly indicated maliciousness. No scripts were extracted, but the PDF structure and link analysis are sufficient to infer a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=adobe+pdf+for+macbook+pro
    • http://vaper.andersonolineacademy.com/uploads/1/3/0/9/130969042/772d7c3404a.pdf
    • http://files.mylunarsign.com/uploads/1/3/1/8/131857482/6fcae3.pdf
    • http://fepota.jamespattison.org/uploads/1/3/2/6/132681647/pezisipe-novuv-rewav-daradi.pdf
    • https://cdn.shopify.com/s/files/1/0440/1761/4998/files/manual_j_heat_load_calculation.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6982/files/4175227151.pdf
    • https://cdn.shopify.com/s/files/1/0431/1446/3394/files/limetojaki.pdf
    • https://cdn.shopify.com/s/files/1/0430/8572/5857/files/microsoft_works_6-_9_file_converter.pdf
    • https://cdn.shopify.com/s/files/1/0428/5785/7187/files/best_video_editor_android_without_watermark.pdf
    • https://cdn.shopify.com/s/files/1/0433/5756/9176/files/vopij.pdf
    • https://cdn.shopify.com/s/files/1/0432/8590/5576/files/85296763489.pdf
    • https://cdn.shopify.com/s/files/1/0437/0549/9801/files/73662747050.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000695b.bin
b7949aad39c03c3dd0418c19ce43bc0d256c83eeb061169ed94db0ba6634fdc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x695B 5284 bytes
font_01_sfnt_off00007b3b.bin
15c336605adff0783d66b140988df22519617851ddb0b1a10ca57faa3ef84bfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B3B 10944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.