Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab18fbbde3289b4a…

MALICIOUS

PDF

41.9 KB Created: 2020-08-05 15:59:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04c15925ec31573125a1cb58405ffab1 SHA-1: 39531bd87dbac1a921e9e4b44ff02efce81f8bc5 SHA-256: ab18fbbde3289b4a50ef127ca38617ba464454a0777d7e62d9bf420a11f84c27
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with a critical heuristic firing for a malicious redirector and another for a PDF link farm. The primary malicious URL identified is ttraff.ru, which is likely used to redirect users to further malicious content or phishing sites. The document body itself is largely unreadable binary data, but the presence of numerous links, including those hosted on Shopify, suggests a tactic to artificially inflate search engine rankings or distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=abebe+bikila+biography+pdf
    • http://labufu.lowersavannahriveralliance.org/uploads/1/3/0/7/130775727/fd299913d130b.pdf
    • http://files.lifetime-memories-photography.com/uploads/1/3/1/4/131453623/bolajato.pdf
    • http://files.psychiatricsocietygoa.org/uploads/1/3/1/3/131384636/bajivamoderu_futomolabiz.pdf
    • https://cdn.shopify.com/s/files/1/0438/3762/0381/files/dejunosirusowimor.pdf
    • https://cdn.shopify.com/s/files/1/0433/8365/2506/files/lonosugabilurisebobuwola.pdf
    • https://cdn.shopify.com/s/files/1/0434/7170/0120/files/pibenenavoviwufari.pdf
    • https://cdn.shopify.com/s/files/1/0430/3686/8762/files/how_to_stop_nox_from_downloading_apps.pdf
    • https://cdn.shopify.com/s/files/1/0430/2585/8714/files/59965385853.pdf
    • https://cdn.shopify.com/s/files/1/0431/8904/3362/files/37155731333.pdf
    • https://cdn.shopify.com/s/files/1/0440/5942/6968/files/2020_calendar_template_editable.pdf
    • https://cdn.shopify.com/s/files/1/0428/8145/0147/files/tusanofo.pdf
    • https://cdn.shopify.com/s/files/1/0430/0718/0954/files/catfish_farming_business_plan.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/37604868145.pdf
    • https://cdn.shopify.com/s/files/1/0439/9969/0910/files/suwafavigidejata.pdf
    • https://cdn.shopify.com/s/files/1/0437/8555/2030/files/39080467929.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065ef.bin
4646d96f335b4673b607b316b09d6f837da95de7689e1c25d21a972364952f82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65EF 5420 bytes
font_01_sfnt_off00007863.bin
4c892e9583eedd53b34aac464379d54c68e214f9443ba625e04ee4f017a92fcf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7863 10096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.