Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4f59c71020b054f…

MALICIOUS

PDF

43.5 KB Created: 2020-08-31 03:50:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: efdffc112729c1353c6b19b6a1ddd15f SHA-1: 84b222fb284bc963f3ae90f361268bf8fde25fd6 SHA-256: d4f59c71020b054fe0ae706c639a306f3601ad82fd1a23c65a6cbd1b104619bb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. This URL is presented in a context that mimics a search result for a game patch, suggesting a lure to trick users into clicking. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on Shopify. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted, but the presence of the malicious redirector is sufficient evidence of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=gundam+assault+survive+english+patch
    • https://cdn.shopify.com/s/files/1/0436/5733/0853/files/vadevirakod.pdf
    • https://cdn.shopify.com/s/files/1/0430/4571/6119/files/57002237701.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/41877136991.pdf
    • https://cdn.shopify.com/s/files/1/0436/4537/0518/files/french_english_dictionary.pdf
    • https://static.usrfiles.com/ugd/e2f197_20e6ef354b2943e4996357ad81f55988.pdf
    • https://static.usrfiles.com/ugd/b8c837_338ec52389554e22a26c0a95fb6e4160.pdf
    • https://cdn.shopify.com/s/files/1/0432/2341/6995/files/rafaxeradum.pdf
    • https://cdn.shopify.com/s/files/1/0432/2630/0575/files/45219519644.pdf
    • https://cdn.shopify.com/s/files/1/0433/4567/4389/files/saranam_ayyappa_telugu_songs_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/6279/6186/files/information_technology_department_roles_and_responsibilities.pdf
    • https://cdn.shopify.com/s/files/1/0430/0872/1049/files/76429751706.pdf
    • https://static.usrfiles.com/ugd/b8c837_0f9326a119f7485cb276171c83afeed1.pdf
    • https://static.usrfiles.com/ugd/fa6f14_5331c5cd820a4b0d95f7389e738fa770.pdf
    • https://static.usrfiles.com/ugd/b8c837_184b8fb892aa49e5bf07b8003eeaf816.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e63.bin
3647a2a2860b84542bd831db44b5d3e63cc9636f32fa8a92e4d70c7a6fb0c33d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E63 4576 bytes
font_01_sfnt_off00005e34.bin
e06091ff2f424d17e822acc191ec1b99dc01b789f5cf56b4138ba5b1dabac105		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E34 5348 bytes
font_02_sfnt_off0000703f.bin
8cf9eb51001309c6f54bb8bf174eb1a0ddc43546c4fa2f948848dc5554ed2305		 pdf-font-stream PDF embedded font (sfnt) at offset 0x703F 10068 bytes
font_03_sfnt_off00009289.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9289 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.