Malicious PDF — malware analysis report

Static analysis result for SHA-256 a75f80951b50d4f1…

MALICIOUS

PDF

50.3 KB Created: 2020-07-30 23:29:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3bafbee47f76a5b039fa185b88280ab SHA-1: d8473dc2c11170c35c9db01dcfb91a553c3dbd30 SHA-256: a75f80951b50d4f1878a781a0bafe6403c84f381aac60e05b348b43dfb9c0633
158 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains embedded JavaScript and multiple links, with one pointing to known malicious redirector infrastructure (ttraff.ru). The document body, though heavily obfuscated, appears to be a lure related to 'arbonne shake recipes pdf'. The presence of a link farm and the ML classifier's high confidence suggest a malicious intent to redirect users to potentially harmful content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=arbonne+shake+recipes+pdf
    • http://files.alexsarkisian.com/uploads/1/3/1/3/131398054/43a885825b2e523.pdf
    • http://files.elrodeonews.com/uploads/1/3/0/9/130970004/893ac.pdf
    • http://files.primarytechunit.com/uploads/1/3/0/8/130814343/6412260.pdf
    • https://cdn.shopify.com/s/files/1/0431/6413/9669/files/laguvabatololapaxisu.pdf
    • https://cdn.shopify.com/s/files/1/0437/3754/6917/files/zexuzolevisomus.pdf
    • https://cdn.shopify.com/s/files/1/0435/2271/9912/files/48003239851.pdf
    • https://cdn.shopify.com/s/files/1/0429/1143/2857/files/91782760196.pdf
    • https://cdn.shopify.com/s/files/1/0434/5180/9957/files/6382083683.pdf
    • https://cdn.shopify.com/s/files/1/0433/1952/5534/files/62600137321.pdf
    • https://cdn.shopify.com/s/files/1/0438/9847/0555/files/kafuxosutejoke.pdf
    • https://cdn.shopify.com/s/files/1/0436/8121/8710/files/41688223949.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pizegavegip.pdf
    • https://cdn.shopify.com/s/files/1/0433/1785/4373/files/68243356447.pdf
    • https://cdn.shopify.com/s/files/1/0431/3110/9540/files/vojovesejiratix.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007ea0.bin
f414211176df0e0a1eb1b61261870bdb013f7dddc381e58acd2bf33d869a4caf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EA0 5112 bytes
font_01_sfnt_off00008fdf.bin
a78190a9a3ae71afd2ddc8849cdd69540fc402945b931e76495f8233762a0273		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FDF 14380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.