Malicious PDF — malware analysis report

Static analysis result for SHA-256 d43e6b403b973f06…

MALICIOUS

PDF

44.4 KB Created: 2020-08-10 22:40:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 995d661532282313b88307b433ca3468 SHA-1: bf473f9d703a0a8eebdbaa8e6f7e8eb49d7afead SHA-256: d43e6b403b973f06f37d3986a31b7a2ce48d5c01de1f449c573fa8680e33af54
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to external PDF files hosted on various domains. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.ru/pify?keyword=teach+yourself+beginner+s+russian+script+pdf'. This suggests the document is part of a link farm or SEO poisoning campaign designed to drive traffic to malicious infrastructure. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=teach+yourself+beginner+s+russian+script+pdf
    • http://files.whenham.com/uploads/1/3/0/8/130874141/fasezopinajopik_gilerawefeleten_bepab.pdf
    • http://files.sgrhokc.com/uploads/1/3/1/4/131406222/443d384a2e2df.pdf
    • http://files.newworldtribe.us/uploads/1/3/1/0/131070611/gerelopafefusilixo.pdf
    • http://files.hughesenveng.com/uploads/1/3/1/4/131437157/pikogak.pdf
    • http://walutan.pninax.com/uploads/1/3/2/3/132303382/3516928.pdf
    • https://cdn.shopify.com/s/files/1/0433/8388/1893/files/budget_highlights_2020_19.pdf
    • https://cdn.shopify.com/s/files/1/0439/1885/2264/files/37308498253.pdf
    • https://cdn.shopify.com/s/files/1/0428/9904/6553/files/forensic_files_episodes.pdf
    • https://cdn.shopify.com/s/files/1/0431/4077/6090/files/4566046082.pdf
    • https://cdn.shopify.com/s/files/1/0434/5767/5431/files/el_sitio_de_leningrado.pdf
    • https://cdn.shopify.com/s/files/1/0428/8082/7558/files/lifugagowuvavap.pdf
    • https://cdn.shopify.com/s/files/1/0430/6193/6282/files/4272629383.pdf
    • https://cdn.shopify.com/s/files/1/0440/1466/5878/files/jewilogapupafugobup.pdf
    • https://cdn.shopify.com/s/files/1/0431/5011/4967/files/75572503659.pdf
    • https://cdn.shopify.com/s/files/1/0435/7079/0558/files/concept_of_triple_bottom_line.pdf
    • https://cdn.shopify.com/s/files/1/0429/6212/4959/files/66410087175.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e9a.bin
62f3a6ebf801398db6fab9e0b950ce2ce2cfcc2cdcbbab959d6a65d7bc2d405d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E9A 5608 bytes
font_01_sfnt_off000081a8.bin
e37822780b438fd374367b193a076e0aa9e97e8259323c27e105ba8abdd7bd61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81A8 10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.