Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5776ae096071c9c…

MALICIOUS

PDF

40.5 KB Created: 2020-08-19 13:32:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9d2a321e8f93599beee8ef75fcd0189 SHA-1: 1e0f442c36e12e53dd7acec2984c3be7bb189bf0 SHA-256: a5776ae096071c9c69699932a8e639948286e331c812c3fd8bc869b212ad3282
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links to other PDFs hosted on domains like 'cdn.shopify.com'. The ML classifier also strongly flagged this PDF as malicious. The presence of these elements suggests a campaign to lure users through deceptive links, potentially leading to further malicious content or exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=aristotle+poetics+tragedy+six+elements+pdf
    • http://sekunuxu.mountainvalleypaving.com/uploads/1/3/0/7/130739835/b8ca25.pdf
    • https://cdn.shopify.com/s/files/1/0434/8408/6429/files/hcg_diet_plan.pdf
    • https://cdn.shopify.com/s/files/1/0431/6640/0666/files/appium_desired_capabilities_for_android_emulator.pdf
    • https://cdn.shopify.com/s/files/1/0433/5534/0954/files/online_to_word_typing_jobs_without_investment.pdf
    • https://cdn.shopify.com/s/files/1/0436/3865/3086/files/73855757059.pdf
    • https://cdn.shopify.com/s/files/1/0431/9212/3556/files/os_aplicativos_mais_legais_para_android.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nisej.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/golizikedakumeru.pdf
    • https://cdn.shopify.com/s/files/1/0430/1488/1433/files/79485595191.pdf
    • https://cdn.shopify.com/s/files/1/0434/0062/6341/files/seloda.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0431/9212/3556/files/os_aplicativos_mais_legais_para_android

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fdc.bin
aba27a9feddf7bd7135d43bfcab08c85ef8c8f23ce35d1c7406cb9fcbae01909		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FDC 5636 bytes
font_01_sfnt_off000072fb.bin
08e3a5b8c20b8f361a4da7fd166395d47301b513fa1154941d5c34a130c562df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72FB 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.