Malicious PDF — malware analysis report

Static analysis result for SHA-256 a789c9b6f2d938c7…

MALICIOUS

PDF

48.3 KB Created: 2020-07-30 17:02:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2daa384668c695edf787efefaebc122e SHA-1: 5f269d930d6dfea9f270ea0c1a586e2a54bad960 SHA-256: a789c9b6f2d938c71011b0febbc5f9929a9b40bda05c99de1bf8eb17c39720b9
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple critical heuristics indicating malicious redirector links and a link farm. The ML classifier also strongly indicated maliciousness. The embedded URLs, particularly the one pointing to 'ttraff.ru', are highly suspicious and likely lead to malicious content. The document body appears to be heavily obfuscated or corrupted, preventing a clear understanding of its specific lure, but the presence of numerous external links suggests a delivery mechanism for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=dementia+journal+pdf
    • http://files.robinsabagtherapy.com/uploads/1/3/0/7/130774965/xoduxag_kopajorurivixuw.pdf
    • http://files.cleaningsantabarbara.com/uploads/1/3/0/7/130739693/tosugaxadaze.pdf
    • http://files.choteautlc.com/uploads/1/3/1/6/131607565/0aae56f.pdf
    • http://files.iowaaces360.org/uploads/1/3/2/7/132710497/tovulubumafo_pavirododa_vogutudofebavit.pdf
    • http://files.ctfarms-rabbits.com/uploads/1/3/1/6/131606289/51399.pdf
    • http://files.iowaaces360.org/uploads/1/3/2/7/132710497/tovulubumafo_pavirododa_vogutudofebavit
    • https://cdn.shopify.com/s/files/1/0428/1552/0935/files/96353988222.pdf
    • https://cdn.shopify.com/s/files/1/0434/1877/9815/files/15542698231.pdf
    • https://cdn.shopify.com/s/files/1/0432/0880/2466/files/kozupenazor.pdf
    • https://cdn.shopify.com/s/files/1/0432/6067/4198/files/46853152031.pdf
    • https://cdn.shopify.com/s/files/1/0435/9503/8877/files/lodipuluxoge.pdf
    • https://cdn.shopify.com/s/files/1/0430/7773/0464/files/baxifeki.pdf
    • https://cdn.shopify.com/s/files/1/0431/2681/6932/files/44883139818.pdf
    • https://cdn.shopify.com/s/files/1/0431/6807/1836/files/givinavub.pdf
    • https://cdn.shopify.com/s/files/1/0437/0530/3190/files/90266747287.pdf
    • https://cdn.shopify.com/s/files/1/0431/3802/3592/files/putunimajuwoke.pdf
    • https://cdn.shopify.com/s/files/1/0431/7921/2959/files/91843393771.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/64541570927.pdf
    • https://cdn.shopify.com/s/files/1/0435/9369/5391/files/kodizozoga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008222.bin
186069245e64c8e50d72d0a3a27767370733239d6b6f96153d20ca730d7764db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8222 4964 bytes
font_01_sfnt_off000092ea.bin
ca9ed671e22af68ab8503234a48738d7c0b91ac96f707f72cbd80a4dd413c035		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92EA 9784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.