Malicious PDF — malware analysis report

Static analysis result for SHA-256 b740930c80f1ba6e…

MALICIOUS

PDF

36.7 KB Created: 2020-09-16 17:13:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01eff1f1db4977270b10761710d6310a SHA-1: 6e92bfc50fa29049be0c0405474ad05f118f0bb7 SHA-256: b740930c80f1ba6e2cecc321f6040845d5905034b950133203a938d03855c243
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, a technique often used to redirect users to malicious sites. Specifically, the URL 'https://ttraff.ru/wix?keyword=eve+online+guristas+epic+arc+guide' is flagged as a malicious redirector. The document body, though partially corrupted, contains references to this URL and other PDF links, suggesting a link farm or SEO poisoning attempt to drive traffic to malicious infrastructure. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=eve+online+guristas+epic+arc+guide
    • http://vumiriju.thefieldhousecanaan.com/uploads/1/3/2/6/132681504/sefikeji.pdf
    • http://files.relationalbalance.com/uploads/1/3/1/4/131438453/7106347.pdf
    • http://wegari.buckleyscatering.com/uploads/1/3/1/1/131164250/dijapi-vosurefizo-sovugip.pdf
    • http://www.eveonline...a...69
    • https://74f3db12-7bd5-4cbd-9f6e-80f808f209aa.filesusr.com/ugd/cc3ca9_4127ee1e46c54e878efaa54049b835e2.pdf?index=true
    • https://f0ae953d-b9e1-461a-987c-ff1a0e9bcf24.filesusr.com/ugd/33a2e4_7f1d09a419b2478bb520d7f1190f3532.pdf?index=true
    • https://76a5ac18-70cd-413f-85a0-991c05070f4a.filesusr.com/ugd/70e7d4_890ce8ae309e430a9cff075cbf7df3b4.pdf?index=true
    • https://e68d633b-55d7-4218-b045-55993e06994b.filesusr.com/ugd/c4dbd3_edbb811ea8d840d895f56146ddd2799f.pdf?index=true
    • https://f1a5ce7b-150e-415d-9f6f-1abeaa514be7.filesusr.com/ugd/8bf3fc_6bffa47ef9d04acf937b8ae7f604a1d9.pdf?index=true
    • https://3f8249f8-32b1-4c9f-9b13-e604b46fe34e.filesusr.com/ugd/ade4e6_ba0086a49cdb4e50b178c84eab37f184.pdf?index=true
    • https://519e0b21-74ce-457b-8432-79d97142d7b8.filesusr.com/ugd/529dbf_5313f0437064458b89ea6d5b9215eac0.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0438/3840/6806/files/blood_hand_signs_step_by_step.pdf
    • https://cdn.shopify.com/s/files/1/0429/1959/2099/files/stellaris_great_khan_wiki.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005037.bin
a1d2c2318c012a0d7b6c6741207a224d8dd48c717749a47397fb4577e2368cc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5037 5256 bytes
font_01_sfnt_off00006230.bin
c6265190480724cd1e6ab65773a39efee9c3947c95b64626b14372e08482c57f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6230 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.