Malicious PDF — malware analysis report

Static analysis result for SHA-256 b43b293c182448e4…

MALICIOUS

PDF

83.4 KB Created: 2020-08-29 17:22:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fb077702f789a1f26164680e5ce5830b SHA-1: 25bb6ea887f812311350119a67a1944d6c647682 SHA-256: b43b293c182448e4d1f7478ec74f8a978423d3a61b31033005ae33256a55f5c2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics indicating malicious redirector links and a link farm. The ML classifier also assigned a high probability of maliciousness. The embedded URL `https://ttraff.ru/wix?keyword=%25D9%2585%25D8%25A7%25D8%25B0%25D8%25A7+%25D9%258A%25D8%25B9%25D9%2586%25D9%258A+%25D8%25B9%25D9%2586%25D8%25AF%25D9%2585%25D8%25A7+%25D9%258A%25D8%25AD%25D8%25A8%25D9%2583+%25D8%25B4%25D8%25AE%25D8%25B5+%25D9%2585%25D8%25A7` is a primary indicator of malicious intent, likely serving as a gateway to further malicious content. The presence of numerous other links suggests a broad distribution or redirection strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=%25D9%2585%25D8%25A7%25D8%25B0%25D8%25A7+%25D9%258A%25D8%25B9%25D9%2586%25D9%258A+%25D8%25B9%25D9%2586%25D8%25AF%25D9%2585%25D8%25A7+%25D9%258A%25D8%25AD%25D8%25A8%25D9%2583+%25D8%25B4%25D8%25AE%25D8%25B5+%25D9%2585%25D8%25A7
    • https://static.usrfiles.com/ugd/b8c837_af10a04a980c4568ba22dc6c15a8475b.pdf
    • https://static.usrfiles.com/ugd/b8c837_9151738f30464518a1a30bcad4501425.pdf
    • https://static.usrfiles.com/ugd/b8c837_09afb7bc9c834125bc5547bdd4df0aea.pdf
    • https://static.usrfiles.com/ugd/b8c837_712dbd5c204d4b4094da27ff0538d1a6.pdf
    • https://static.usrfiles.com/ugd/b8c837_76103766a10745c29b56f1479b986092.pdf
    • https://cdn.shopify.com/s/files/1/0428/1594/6911/files/rokemupe.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/38967404473.pdf
    • https://cdn.shopify.com/s/files/1/0433/0933/4696/files/gamulowes.pdf
    • https://static.usrfiles.com/ugd/b8c837_a9c67ac738474dfdb6e0367572dc38c4.pdf
    • https://static.usrfiles.com/ugd/accd1f_6c7f04b6f5d148cfac2508fbed515eec.pdf
    • https://static.usrfiles.com/ugd/b8c837_623562211cd74c198580d61541629065.pdf
    • https://static.usrfiles.com/ugd/b8c837_47248dd6f0a14672b265e6081293c3cb.pdf
    • https://static.usrfiles.com/ugd/b8c837_2c11272175974cbb830bac88bda7f0e5.pdf
    • https://static.usrfiles.com/ugd/b8c837_b664f007a70c49e8bd00e3445f21f27d.pdf
    • https://static.usrfiles.com/ugd/b8c837_a16ee868ecb245848121c626a9ffde59.pdf
    • https://static.usrfiles.com/ugd/b58d21_a675977f24c546a3b5cba49d8a64104e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off000103f7.bin
050ed4046cabb6ed732574cf2bf0984fb66ef0d053f3da4a9c525ecdf06f2a51		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x103F7 32584 bytes
font_00_sfnt_off0000bf21.bin
3e900196e372575ee1af689ac1189ef6d8c737e738b089e874f4efaa939d80c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF21 4068 bytes
font_01_sfnt_off0000ccfd.bin
8ad0d54cb490fb7338edc881c4c48f4cd3ee9f35699ddf4f4405bae764eafd1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCCFD 18108 bytes
font_02_sfnt_off0000e8c6.bin
d0078d497c28d1b7eb66413289a112975d0081a530c91bc47fc5bb4b8d8065f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8C6 7912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.