Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca535e97f539c185…

MALICIOUS

PDF

59.9 KB Created: 2020-09-02 00:04:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa2fc1ad2744f4f0668fe0827f74dcc8 SHA-1: ab9cabe154442fc9f7efeddd3f43392eae8b3a88 SHA-256: ca535e97f539c185725402116707b0dbd7888f806f3113b0c55a3f4598b90f52
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.ru'. The document body, though heavily obfuscated, contains text related to a 'Cattlemen's livestock auction market report' and includes the malicious URL. This suggests a phishing or social engineering attack aiming to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=cattlemen%2527+s+livestock+auction+market+report
    • https://cdn.shopify.com/s/files/1/0437/7129/7943/files/wotowijapimosutazeduto.pdf
    • https://cdn.shopify.com/s/files/1/0461/6595/0627/files/luzemexiravanogerobokepa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0265/0014/files/64327176339.pdf
    • https://cdn.shopify.com/s/files/1/0432/8367/7339/files/17766952264.pdf
    • https://static.usrfiles.com/ugd/57c819_7d531f9f42754b95a52e4f900b50d587.pdf
    • https://static.usrfiles.com/ugd/e481ce_378569a03ccb4c3b9acf3843d4c4d4f0.pdf
    • https://cdn.shopify.com/s/files/1/0438/3545/7698/files/my_guitar_shop_database_exercises_solutions.pdf
    • https://cdn.shopify.com/s/files/1/0431/4556/0219/files/643184136.pdf
    • https://cdn.shopify.com/s/files/1/0431/8488/1825/files/75365228208.pdf
    • https://cdn.shopify.com/s/files/1/0432/5982/2243/files/alt_j_an_awesome_wave_mega.pdf
    • https://cdn.shopify.com/s/files/1/0435/4693/5447/files/89177967249.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009ed3.bin
97a548116dd796db80004a182a48691dcf461b323f7fa6e65bd047a86d9a9dbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9ED3 5140 bytes
font_01_sfnt_off0000b04a.bin
0b0df561da9474bb953a89b09220514e5d8fbcd2fcd2c3ce1414f0f53e2c2e1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB04A 10480 bytes
font_02_sfnt_off0000d42b.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD42B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.