Malicious PDF — malware analysis report

Static analysis result for SHA-256 d08d5e69ea0eea08…

MALICIOUS

PDF

47.8 KB Created: 2020-09-01 06:17:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b04a1ba272663429957608c2aacbd5fd SHA-1: 3887b44f1516c50c5233252bb79894727b5b3de9 SHA-256: d08d5e69ea0eea0895e877deea3bd92c835e2f51ae0bc2cd0d2fa32151c2ed97
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=writing+skills+pdf'. This indicates the document's primary purpose is to redirect users to malicious infrastructure. The PDF also contains a large number of external links, suggesting a link farm or SEO poisoning tactic. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=writing+skills+pdf
    • https://static.usrfiles.com/ugd/db93e9_4d168aa770bd4109a00bdea55f2b0a60.pdf
    • https://static.usrfiles.com/ugd/b8c837_049435b7521a46c4a353f38bb6e5166b.pdf
    • https://static.usrfiles.com/ugd/b8c837_d31096489efc48f1ae5892255feb8075.pdf
    • https://cdn.shopify.com/s/files/1/0435/3641/6936/files/wazixozikomidul.pdf
    • https://cdn.shopify.com/s/files/1/0429/5327/7589/files/synonyme_und_antonyme_deutsch_pdf.pdf
    • https://cdn.shopify.com/s/files/1/0437/9744/6818/files/ripatimemozef.pdf
    • https://cdn.shopify.com/s/files/1/0436/7273/1801/files/essential_haematology_hoffbrand_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/2791/4152/files/types_of_bandages_and_dressings.pdf
    • https://static.usrfiles.com/ugd/f80014_70d0f13fe9e54d92a4fbc17f748f1057.pdf
    • https://static.usrfiles.com/ugd/3b7182_82468680c7ab4e5ba3683a84df407147.pdf
    • https://static.usrfiles.com/ugd/b8c837_2c354ab937614221a690f8e5650ebb8a.pdf
    • https://static.usrfiles.com/ugd/0d9a50_1f171e2231cc4bf98cf5cb44c192de61.pdf
    • https://static.usrfiles.com/ugd/bb13a2_d879d28869c54d9db5f00cbc3dcc5ba7.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_aeb0df054c8541b6a97a880e0f81fbd0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007202.bin
ea8bf820d9e4a9b6cebee3e2b1b554c7d2dfe0d3891cc5fb1e61998ec4306d48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7202 4636 bytes
font_01_sfnt_off000081d9.bin
7ea58d9e5f0edd9aada5bc59917bb0b4d1357038123bebb7769936b590340904		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81D9 10024 bytes
font_02_sfnt_off0000a409.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA409 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.