Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5f9e4024daed6eb…

MALICIOUS

PDF

45.7 KB Created: 2020-08-29 17:15:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc4fde51ee0d351f67d87be08b28ea4c SHA-1: 3c0b311aa7f5fa594b6d60b5dd583e9204830fb6 SHA-256: c5f9e4024daed6eb01b0ff4ae79ec1aee6656a60d5a5d22109b9b083f9ecf149
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to other PDF files, a technique often used for SEO poisoning or to obscure malicious intent. One of the embedded URLs, 'https://ttraff.ru/wix?keyword=wilbarger+protocol+oral+tactile+technique', is flagged as a known malicious redirector. The ML classifier also strongly indicated maliciousness. The document body contains garbled text but includes the malicious URL and a benign-looking Shopify URL, suggesting a lure or obfuscation tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=wilbarger+protocol+oral+tactile+technique
    • https://cdn.shopify.com/s/files/1/0429/8804/4447/files/guxefolug.pdf
    • https://cdn.shopify.com/s/files/1/0429/5986/3959/files/2522675660.pdf
    • https://cdn.shopify.com/s/files/1/0437/5147/3303/files/82454732298.pdf
    • https://cdn.shopify.com/s/files/1/0435/3366/4411/files/casio_calculator_app.pdf
    • https://cdn.shopify.com/s/files/1/0432/6667/0745/files/50728453585.pdf
    • https://cdn.shopify.com/s/files/1/0429/6884/2393/files/gedorugavebinegejogo.pdf
    • https://cdn.shopify.com/s/files/1/0435/2458/7674/files/rofetosakubava.pdf
    • https://cdn.shopify.com/s/files/1/0437/9446/4929/files/classic_man_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0433/9679/2478/files/xigulipukemu.pdf
    • https://cdn.shopify.com/s/files/1/0447/3189/1861/files/list_of_adjectives_to_describe_a_person_with_meaning.pdf
    • https://cdn.shopify.com/s/files/1/0431/6335/3250/files/82441075013.pdf
    • https://cdn.shopify.com/s/files/1/0462/6690/8834/files/childwise_fact_sheets.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074df.bin
9bf6fb5d83063ad24e672137896fcd3cfaeb1c36b966cecd631beeefe9f3689e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74DF 5296 bytes
font_01_sfnt_off000086df.bin
a14f2460a8f6d8415bf9fa5885e752dd46c9fc40146d6a47ca9965e13c0d7c3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86DF 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.