Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0da9d6742913cdc…

MALICIOUS

PDF

54.7 KB Created: 2020-08-12 20:59:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6c586ce3a0f7c628c01feff3223a22c SHA-1: cd2861ad30ed9d13b46cfcb0111fdcc5b1911519 SHA-256: d0da9d6742913cdc6ad6ab0e3de95ec7825c0370b0ae0baec43068e8a3f3d990
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, many of which point to a link farm hosted on cdn.shopify.com, a technique often used for SEO poisoning. One critical heuristic identified a direct link to a known malicious redirector at ttraff.ru, which is likely the primary malicious payload delivery mechanism. The document body, though heavily corrupted, contains the URL that triggered the malicious redirector heuristic, reinforcing the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=huawei%20p20%20lite%20user%20manual%20pdf
    • http://piwat.bathwickestateresidentsassociation.org/uploads/1/3/1/4/131452821/48dfbb42f68.pdf
    • http://rurobiru.leighannsgallery.com/uploads/1/3/1/6/131637136/mozagutoxog.pdf
    • http://vuletabub.yleniamino.com/uploads/1/3/0/7/130738970/bunixemafuxubure.pdf
    • http://daledula.conscience-ai.com/uploads/1/3/1/3/131383483/7885142.pdf
    • http://mivines.trucksntools.com/uploads/1/3/1/4/131453133/8961988.pdf
    • https://cdn.shopify.com/s/files/1/0434/6108/3288/files/maytag_quiet_series_200_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/9613/7111/files/pokemon_insurgence_rom.pdf
    • https://cdn.shopify.com/s/files/1/0434/4214/3388/files/sibutuposururowenumudarez.pdf
    • https://cdn.shopify.com/s/files/1/0437/8555/2030/files/jizumap.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/64989875230.pdf
    • https://cdn.shopify.com/s/files/1/0433/9938/1157/files/99293825227.pdf
    • https://cdn.shopify.com/s/files/1/0431/1960/7962/files/spanish_civil_war_summary.pdf
    • https://cdn.shopify.com/s/files/1/0448/0948/6498/files/bebop_1_student_s_book.pdf
    • https://cdn.shopify.com/s/files/1/0430/6799/8359/files/66095540039.pdf
    • https://cdn.shopify.com/s/files/1/0437/2099/9064/files/78120884169.pdf
    • https://cdn.shopify.com/s/files/1/0429/1756/0473/files/37940453402.pdf
    • https://cdn.shopify.com/s/files/1/0439/1016/8744/files/64615780887.pdf
    • https://cdn.shopify.com/s/files/1/0452/1800/5143/files/11832280163.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006995.bin
acbea21cca9e2125c978230c1195a647d348a086f7647dde0ecf8ff719b6a5dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6995 3724 bytes
font_01_sfnt_off000076d2.bin
8522789afbdcafdbf14ebdec0759d0ca7e28a33138c8eb62366713df9271f8b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76D2 5512 bytes
font_02_sfnt_off0000897d.bin
228cea9814b1d438bf7ea30c65d5cd2b42f631cbeef9b4d5e6359a9f86abb77d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x897D 11844 bytes
font_03_sfnt_off0000b03a.bin
c64680ed724da94ce6662d10fc4639a6036ffac6dc1be882443d82608bd0b4a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB03A 18100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.