Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae4b3fba1b47ec7a…

MALICIOUS

PDF

41.0 KB Created: 2020-08-06 02:55:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 06254f93f0280e7b361d99ee22af5c24 SHA-1: c2b967c17c5be1edb2de4c30ee579acb1c9cbf8c SHA-256: ae4b3fba1b47ec7af6efbf788691ba376dce48ec478bb789fd665c403c77264c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious Link

The PDF document contains a large number of embedded links, many of which point to a redirector infrastructure identified as malicious. The primary malicious URL is https://ttraff.ru/wb?keyword=leed%20ap%20bd+c%20exam%20preparation%20guide%20. This behavior is consistent with a link farm designed to drive traffic to potentially harmful sites, likely for SEO manipulation or to host further malicious content. No scripts were extracted, and the document body was unreadable binary data.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=leed%20ap%20bd+c%20exam%20preparation%20guide%20\(v4\)%20pdf
    • http://files.brandhero.in/uploads/1/3/0/7/130738673/mobobelosefen.pdf
    • http://sesonu.keymagiamusic.com/uploads/1/3/0/7/130740522/7223965.pdf
    • http://files.fionamatisse.com/uploads/1/3/1/8/131857419/7966270.pdf
    • https://cdn.shopify.com/s/files/1/0431/1531/5351/files/vermeer_sc252_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0434/7042/2180/files/rabelexad.pdf
    • https://cdn.shopify.com/s/files/1/0428/9291/8947/files/74927933504.pdf
    • https://cdn.shopify.com/s/files/1/0433/5029/4678/files/44078689378.pdf
    • https://cdn.shopify.com/s/files/1/0440/7322/2294/files/65614731698.pdf
    • https://cdn.shopify.com/s/files/1/0437/6009/1287/files/73129166751.pdf
    • https://cdn.shopify.com/s/files/1/0431/9910/3136/files/xodawenolugedaguzeke.pdf
    • https://cdn.shopify.com/s/files/1/0430/4843/5861/files/34368307483.pdf
    • https://cdn.shopify.com/s/files/1/0437/2063/8632/files/rewajuzesisorod.pdf
    • https://cdn.shopify.com/s/files/1/0429/9259/9193/files/zegitepavokokito.pdf
    • https://cdn.shopify.com/s/files/1/0431/0640/2453/files/dadomuzikajomugofelit.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mejamuzeditika.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e32.bin
cb5ffd55d285328af15afb17902323c6663b9c1e06eacc1fca951df219620917		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E32 5716 bytes
font_01_sfnt_off000071b9.bin
da2ff499c8cd6fb92b009fc2483b63fd52e2524fcb43ae2758761111f1081532		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71B9 10856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.