Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4431c5f8ad75318…

MALICIOUS

PDF

105.5 KB Created: 2020-09-17 14:52:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d7276c68dc9124437c3f37e325ff3d0b SHA-1: 093e2dd37e53ed99ea27bcb972dd736323dcf50d SHA-256: a4431c5f8ad753185b2e230c49a66b6156763c5d917314a3d1a52797b466b397
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass external link farm, with many links pointing to PDF files hosted on various domains. One prominent URL, 'https://ttraff.ru/wix?keyword=persona+3+empress+guardian', is identified as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it's designed to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=persona+3+empress+guardian
    • http://muted.musiceventsvt.com/uploads/1/3/0/7/130776074/voparu.pdf
    • http://fixejidum.heartpilgrim.org/uploads/1/3/1/3/131378776/widufogutum_kijorizetona.pdf
    • http://zudemuge.mojirestaurant.com/uploads/1/3/1/1/131164250/pabine-sukonufof-worodod.pdf
    • http://files.nzplantservices.com/uploads/1/3/2/8/132814476/kamuf-wedenogoti.pdf
    • http://files.northidahoblaze.com/uploads/1/3/0/7/130775607/ronazepezaxuxa-womonegiba.pdf
    • https://3946cb01-7704-45c8-accc-29a27ddb4189.filesusr.com/ugd/eddc50_fbc07694d7b04f4db91f69884b3a034d.pdf?index=true
    • https://0eb1621e-da71-40bc-93de-1bfc7251d0c0.filesusr.com/ugd/2d797c_72e46593e40342bfadd15f943fc536d1.pdf?index=true
    • https://a7c46fd0-d25b-4b6c-bf27-4ab7bdc7c5a9.filesusr.com/ugd/4c7633_86e128d9ef3743c3b6076cf6d51dc370.pdf?index=true
    • https://d83f54b0-fa42-40e5-b519-bcb238b51d9f.filesusr.com/ugd/0c60a0_07b682a28a1e4fff8ea47d7709e10131.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0432/8567/6188/files/circular_motion_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/0965/4434/files/64801298422.pdf
    • https://cdn.shopify.com/s/files/1/0436/9799/5941/files/fulixa.pdf
    • https://cdn.shopify.com/s/files/1/0432/1637/1867/files/dapujiliduwemi.pdf
    • https://cdn.shopify.com/s/files/1/0431/9959/4656/files/59647346356.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000feb7.bin
83fd43429156807cc28978b912088b8183cfe5bd03aecb8304a7fcca4422c468		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEB7 31120 bytes
font_01_sfnt_off00015fe2.bin
6c0911aa1fd3a7963c69a88fbd1ffa3e3bd416c7aac6fbb1ac8678f9773a2c73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15FE2 5412 bytes
font_02_sfnt_off00017233.bin
c4980c8fdc04b9991179635d3fc1bef0f0c8964fb0966e86d21553ac87d0ebb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17233 11204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.