Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca7a67546b97b4f1…

MALICIOUS

PDF

44.9 KB Created: 2020-08-30 14:57:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b94a4e46223cf9d57aca239a8f1510a1 SHA-1: ba16e946f11efc75424bff9d19492bf42d103b42 SHA-256: ca7a67546b97b4f1db104d55c73642a22edd5859706cfc699cb2b920c6b1efd3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing for a PDF link farm. One of the primary links, 'https://ttraff.ru/wix?keyword=themes+in+twelfth+night', is flagged as malicious, indicating a redirection attempt. The document body, though heavily obfuscated, also contains this URL, suggesting it's the intended lure. The presence of a malicious redirector link and the link farm structure strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=themes+in+twelfth+night
    • https://static.usrfiles.com/ugd/b8c837_29ad22c65e514da99772012ea466b01c.pdf
    • https://static.usrfiles.com/ugd/b8c837_053c0258328d466fb7a69ceb52b4bdd0.pdf
    • https://static.usrfiles.com/ugd/b8c837_e6d1a1a281cd4e11a0b0ea853dca1c83.pdf
    • https://cdn.shopify.com/s/files/1/0434/0816/2974/files/99448426109.pdf
    • https://cdn.shopify.com/s/files/1/0433/6405/7238/files/pafurugabipanepovukoveda.pdf
    • https://static.usrfiles.com/ugd/b8c837_8c5064a05d2f46b4ac596c50e7c9ba93.pdf
    • https://static.usrfiles.com/ugd/2b25b5_5d6724ed3e0d4a08a8c38ba38de16bed.pdf
    • https://static.usrfiles.com/ugd/c3548c_c6c2876b869c4648a805160d8bdd722d.pdf
    • https://static.usrfiles.com/ugd/b8c837_fb53133584154903b1f367876c521722.pdf
    • https://static.usrfiles.com/ugd/ace02d_bb1a96872d194c3caf2d03847ed48885.pdf
    • https://static.usrfiles.com/ugd/e02969_991f9c78656b41af9d354e42f4f9ef65.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006789.bin
f0249228774b8a3cb35373f5e102f9e8132d9f9c5a97e9923927e32858c0efc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6789 4596 bytes
font_01_sfnt_off0000770b.bin
7ef44784a66f5612825568d667f911984b9480b94112dffa7aef456309947c7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x770B 9884 bytes
font_02_sfnt_off000098a8.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98A8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.