Malicious PDF — malware analysis report

Static analysis result for SHA-256 b531080cd1425c01…

MALICIOUS

PDF

43.6 KB Created: 2020-08-30 14:24:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 051ce038e2dc98b84550989c7a653312 SHA-1: a68801380d0f592cd4cc1f92b3ffd580cdc3138a SHA-256: b531080cd1425c019ee57738ff1aed18a367572dc825a50248b85b2ef35fde23
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by a machine learning classifier and contains a critical heuristic indicating it is a redirector link. The primary malicious URL, 'https://ttraff.ru/wix?keyword=Freunde+in+not+green+valley+az', is likely used to direct users to a harmful destination. Additionally, the PDF exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources, suggesting an attempt to manipulate search engine rankings or distribute content through a network of linked documents.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=Freunde+in+not+green+valley+az
    • https://static.usrfiles.com/ugd/0c8cc8_ec1c71adfd6848cd9583c9b22ec0bd27.pdf
    • https://static.usrfiles.com/ugd/de3d83_0cccc864edac4050a7ee4b54d907c15e.pdf
    • https://static.usrfiles.com/ugd/b8c837_43cdedc5c9ef437aaec158e14bc2b1c2.pdf
    • https://static.usrfiles.com/ugd/b8c837_9b94b05d034940d8877c2d6facf28444.pdf
    • https://static.usrfiles.com/ugd/b8c837_4a12b8c2a6b14c78b162a8183953af0f.pdf
    • https://static.usrfiles.com/ugd/55cc32_bb5f203a418b456eaafb43a14f746c2a.pdf
    • https://static.usrfiles.com/ugd/b8c837_8a7bf8554a97403e93b7d87f1af93064.pdf
    • https://static.usrfiles.com/ugd/1fbf8b_752d016577e64e87b39190ddd8737931.pdf
    • https://static.usrfiles.com/ugd/9b7d8a_d83252ff76774610a3892a515cd693a9.pdf
    • https://static.usrfiles.com/ugd/b8c837_132628c7ef364e36a9117a681bf6acdf.pdf
    • https://static.usrfiles.com/ugd/b48b60_a1ba0da2adbc43f9b2eac5241d321779.pdf
    • https://static.usrfiles.com/ugd/b8c837_fc4d593d89d3458f8c6ce36337143781.pdf
    • https://static.usrfiles.com/ugd/b8c837_98eda345d9194ab19ddc3765e58111cc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000638a.bin
d06db49c296c40ca5d303a49dda4e284e95aaf76eaa146ef30b41d2fb8a740ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x638A 4984 bytes
font_01_sfnt_off000074a3.bin
ffecf7f57c9351eb978b97bbc05e908cdaa0ed72e87ecd757136957a81810377		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74A3 14520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.