Malicious PDF — malware analysis report

Static analysis result for SHA-256 da85b9863f08af20…

MALICIOUS

PDF

46.4 KB Created: 2020-09-01 03:37:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 15eb3164315bee72e6d29f2be43782e1 SHA-1: 4e5b308de152d4dc0884285d913184cd3f922122 SHA-256: da85b9863f08af20e18ddd812182c7c49fffddfde42e7aa40b6c643ac5ed4378
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document was flagged by multiple critical heuristics for containing a malicious redirector link and a link farm. The primary malicious URL identified is https://ttraff.ru/wix?keyword=flat+booking+form, which is likely used to direct users to a phishing or malware-hosting site. The document body, though heavily obfuscated, contains references to booking forms, suggesting a lure for users seeking services. No scripts were extracted, but the extensive link farm indicates a delivery mechanism focused on external redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=flat+booking+form
    • https://static.usrfiles.com/ugd/d1c05f_82ac7c709015403f8985d232ebb5a901.pdf
    • https://static.usrfiles.com/ugd/23e9be_4e37490ff1ee4f93b7f7d39c63eb3cc5.pdf
    • https://static.usrfiles.com/ugd/217d68_e3ad2c1398254fe281d059c0b8aec0e3.pdf
    • https://static.usrfiles.com/ugd/e73fea_c9fc6b0b63944f77acb23fdd0c4f8dcb.pdf
    • https://static.usrfiles.com/ugd/6c032c_7a50fac2545d4567a7dc2f5772abf206.pdf
    • https://cdn.shopify.com/s/files/1/0438/6524/3803/files/lenobapijadunidudi.pdf
    • https://cdn.shopify.com/s/files/1/0430/7173/3917/files/kemabufuwegu.pdf
    • https://cdn.shopify.com/s/files/1/0433/4754/2175/files/52349365464.pdf
    • https://cdn.shopify.com/s/files/1/0430/8772/4704/files/zugijumobomejupunefuxit.pdf
    • https://static.usrfiles.com/ugd/0dcf4b_9bd19c2be5a44eed85c60f9fa58a7119.pdf
    • https://static.usrfiles.com/ugd/b7ab08_1ac2d799d109415ab532df9aec04a972.pdf
    • https://static.usrfiles.com/ugd/dba42a_23dfb44bdcc44b4685060fc18bf6ba9b.pdf
    • https://static.usrfiles.com/ugd/c5d40f_f795c62518e84b038ade9bb62657f36f.pdf
    • https://static.usrfiles.com/ugd/10a4aa_f95465be259146258ed7eda01693103d.pdf
    • https://static.usrfiles.com/ugd/b8c837_f9e422887b9849548831af4a72104d98.pdf
    • https://static.usrfiles.com/ugd/ea9bdf_41636e43202d43bfb0ed703442942e48.pdf
    • https://static.usrfiles.com/ugd/4bdc6d_cf11a1dd51164e6e95f13f4b10de1db8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065c1.bin
9773298a0e6ab22d85f3a5bb86fff201fae2172ab5dade0711cbe8438daefe25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C1 5068 bytes
font_01_sfnt_off000076fb.bin
bafb076f173fd644f639a73c82fe8819c4c138674ab2910e5b76c887bf94092e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76FB 10288 bytes
font_02_sfnt_off00009a64.bin
d30b1f51092c76d1e181bd20a45a30208ba7a6233a36b08a4afe6a127a6ee863		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A64 4968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.