Malicious PDF — malware analysis report

Static analysis result for SHA-256 c24b81f711a181f3…

MALICIOUS

PDF

41.3 KB Created: 2020-08-13 00:11:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c107e83723834d2f02d8934bb0ca830f SHA-1: ca2458a71e3b9fc6e3554c4e6d26737c72245e04 SHA-256: c24b81f711a181f37150e9756eaa6a9393038645c503113867eef88ae46086db
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a high number of embedded links, many of which point to benign Shopify domains, but one critical link directs to a known malicious redirector at 'ttraff.ru'. This suggests a link farm or SEO poisoning technique used to disguise malicious intent. The document body, though heavily obfuscated, contains the same URL, reinforcing the lure. The primary goal appears to be redirecting the user to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bsc+nursing+merit+list+2020+pdf
    • http://files.topsthemonkey.com/uploads/1/3/2/6/132695575/popexabesip_joripuloren_nekafuzavisope_wirepileneraki.pdf
    • http://files.afterschoolamerica.org/uploads/1/3/0/7/130776130/077d58.pdf
    • http://files.cmurillo.com/uploads/1/3/2/7/132740329/97b2d1590d8.pdf
    • https://cdn.shopify.com/s/files/1/0437/4459/2021/files/lifolatozabipobegawam.pdf
    • https://cdn.shopify.com/s/files/1/0434/1379/9066/files/rebebususetijati.pdf
    • https://cdn.shopify.com/s/files/1/0435/5912/5160/files/95797193991.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/26450106566.pdf
    • https://cdn.shopify.com/s/files/1/0434/4374/9029/files/z390_aorus_pro_wifi_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/2597/2904/files/badavawiluxafetaliz.pdf
    • https://cdn.shopify.com/s/files/1/0438/8736/2216/files/delolugumalo.pdf
    • https://cdn.shopify.com/s/files/1/0431/8999/3635/files/accidentals_in_music.pdf
    • https://cdn.shopify.com/s/files/1/0430/7759/9383/files/turepawoxowu.pdf
    • https://cdn.shopify.com/s/files/1/0429/7208/6423/files/69921096223.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062e2.bin
9ced94d71b224e2d648410b331f2c2d69730233311a8b1045c155fb2d19cce6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62E2 5588 bytes
font_01_sfnt_off000075ce.bin
27c1f101dc6c8a444765918956dd7a16879da237d6b9dab9f2d6f5356f186986		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75CE 10180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.