Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa05e2b9831e78f9…

MALICIOUS

PDF

48.3 KB Created: 2020-07-10 18:26:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1aeb8878b3bd576e7ce2dde31194406a SHA-1: b2dbecc4084c770893ad12b5eb80bd0823b84132 SHA-256: aa05e2b9831e78f9352be3e151817e4d022a971f17747491d40920f45157ded4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains numerous embedded links, including one pointing to a known malicious redirector at `ttraff.ru`. The document body is obfuscated but contains text related to "steel structure design book pdf", suggesting a lure to trick users into clicking the malicious link. The presence of a large number of external PDF links also indicates a link farm, a common tactic for SEO poisoning and distributing malicious content. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=steel%20structure%20design%20book%20pdf
    • http://files.holisticimpactfoundation.org/uploads/1/3/1/3/131398253/fivebib.pdf
    • http://files.imagineclayavenue.org/uploads/1/3/2/7/132710748/15f8e735.pdf
    • http://files.naturesspiritflytying.net/uploads/1/3/1/1/131163932/mokokajapeluje_zirunenomipazo_zujuguwumiko_sukugetot.pdf
    • http://files.ucra.us/uploads/1/3/0/9/130969993/maramere.pdf
    • http://files.uprisingstarsinc.org/uploads/1/3/1/3/131379045/gowofikur.pdf
    • http://files.match-gems.com/uploads/1/3/0/9/130969243/waruxe-gibotusupuwe-viputefetapaj-walugogigebomev.pdf
    • http://files.atartisticexpress.com/uploads/1/3/1/4/131408153/1542301.pdf
    • http://files.thomaschristopherhaag.com/uploads/1/3/2/3/132302924/971d4.pdf
    • http://files.brushandbranch.co/uploads/1/3/0/7/130740344/2297158.pdf
    • http://files.beerandwinefiltration.com/uploads/1/3/1/6/131636927/bejerovakezazajan.pdf
    • http://files.vellusandterminal.com/uploads/1/3/1/6/131606874/45cbdce0e9d3b9.pdf
    • https://julatepos.files.wordpress.com/2020/06/25423558491.pdf
    • https://xizokegiji.files.wordpress.com/2020/07/83710815901.pdf
    • https://wovavekaf.files.wordpress.com/2020/07/40146173472.pdf
    • https://gakazorex.files.wordpress.com/2020/06/4863066417.pdf
    • https://momunijubu866698461.files.wordpress.com/2020/07/daranipalutaboxoxuz.pdf
    • https://zuterejesami.files.wordpress.com/2020/06/10873673618.pdf
    • https://kanizewelit.files.wordpress.com/2020/07/40459026369.pdf
    • https://cdn.shopify.com/s/files/1/0432/5598/8374/files/narazelakuj.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/90685258811.pdf
    • https://cdn.shopify.com/s/files/1/0427/4041/6678/files/joraxe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066a7.bin
9e60ba582c55be411a0761c78c25778437c63a19731f29fe87793d3d13546fca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66A7 5300 bytes
font_01_sfnt_off000078ab.bin
33d80b5e357abfa3ea91f5eff18928953f8e36d8e9a7aea158c838e8ae756dd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78AB 2116 bytes
font_02_sfnt_off00008275.bin
d16eb662084ff155e01c4a88eb37535da3776f8441ba26b4ed4528a418f048c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8275 15472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.