Malicious PDF — malware analysis report

Static analysis result for SHA-256 bea697ca39f81c6b…

MALICIOUS

PDF

40.1 KB Created: 2020-08-14 00:44:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a0f215468d18455a8b91a2fabe4121a0 SHA-1: 8fdab40101a6840f52c93cbffae08678f19c2b26 SHA-256: bea697ca39f81c6bc1ab94c06adb94e922ead710d4b0deebafb64feb101979cc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, including one pointing to a known malicious redirector at ttraff.ru. This suggests a phishing or malware distribution attempt, likely using SEO techniques to appear legitimate. The document body, though heavily obfuscated, contains the target URL, reinforcing the lure. No scripts were extracted, limiting the analysis of direct payload execution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=medical%20pharmacology%20at%20a%20glance%208th%20pdf
    • http://files.allsaintslethbridge.org/uploads/1/3/1/4/131438098/sopopafazaze-dinukizosi.pdf
    • http://mobiparis.sarickmatzen.com/uploads/1/3/1/4/131407406/rewov.pdf
    • http://files.versatile.pub/uploads/1/3/1/3/131398380/7483451.pdf
    • http://files.ibiogen.eu/uploads/1/3/0/8/130873947/xawuxomozika.pdf
    • http://files.nelsonrealm.com/uploads/1/3/1/6/131606087/2088962.pdf
    • https://cdn.shopify.com/s/files/1/0439/7786/7422/files/jonojesixetebi.pdf
    • https://cdn.shopify.com/s/files/1/0429/2201/6934/files/4921693609.pdf
    • https://cdn.shopify.com/s/files/1/0451/0623/3496/files/black_wallpaper_android_pinterest.pdf
    • https://cdn.shopify.com/s/files/1/0430/9437/6605/files/nutowo.pdf
    • https://cdn.shopify.com/s/files/1/0431/7102/0960/files/zakib.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xazijejizamoketabuguta.pdf
    • https://cdn.shopify.com/s/files/1/0431/7744/3483/files/xuzukijisapuxumamanozavuk.pdf
    • https://cdn.shopify.com/s/files/1/0434/6681/7689/files/pedigajulewaredurixudiv.pdf
    • https://cdn.shopify.com/s/files/1/0434/6816/1176/files/reported_speech_business_english_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0431/7016/8992/files/cambridge_igcse_biology_study_and_revision_guide_2nd_edition.pdf
    • https://cdn.shopify.com/s/files/1/0428/9999/6839/files/dapibezinuvuperegugafir.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005db6.bin
88ad33ca97d68aa6a2e2345668297ba05197a0760a520805faaeadf41c79ff57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DB6 5692 bytes
font_01_sfnt_off00007102.bin
448d50fb1c034cadbaa0660752abb3b0673eae2a20b47d178ca5f908e17fc0e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7102 10148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.