Malicious PDF — malware analysis report

Static analysis result for SHA-256 e215266f749a3397…

MALICIOUS

PDF

43.4 KB Created: 2020-08-14 04:32:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab7404fd5612667d1b4ee3c0b9fbb905 SHA-1: 1bb2afdbef233f6399466ff52f1e81d84be5285c SHA-256: e215266f749a33973284a88e54a234a22506046aadff15957f2c82ad47f4aa07
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to 'ttraff.ru', which is identified as a malicious redirector. This link is presented within the document body, likely as a lure for users interested in 'Citra android 3ds'. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources, many hosted on Shopify. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=citra+android+3ds
    • http://files.325986690869568534.com/uploads/1/3/2/6/132695478/ralur.pdf
    • http://nugut.omcloveinc.org/uploads/1/3/1/4/131406149/giraxaxogijukog.pdf
    • http://files.colwynbayhorticulturalsociety.com/uploads/1/3/1/4/131483491/3460476.pdf
    • https://cdn.shopify.com/s/files/1/0431/1708/4833/files/xolege.pdf
    • https://cdn.shopify.com/s/files/1/0433/0032/3478/files/movugarikinodejexefil.pdf
    • https://cdn.shopify.com/s/files/1/0435/8186/6143/files/89376930676.pdf
    • https://cdn.shopify.com/s/files/1/0427/9818/6652/files/konurapu.pdf
    • https://cdn.shopify.com/s/files/1/0428/1470/1735/files/80503858535.pdf
    • https://cdn.shopify.com/s/files/1/0433/9879/1329/files/tusezizar.pdf
    • https://cdn.shopify.com/s/files/1/0430/8048/2970/files/kewapiveneminubakaxalu.pdf
    • https://cdn.shopify.com/s/files/1/0434/0937/5397/files/80475006963.pdf
    • https://cdn.shopify.com/s/files/1/0432/3049/4878/files/gadupigoja.pdf
    • https://cdn.shopify.com/s/files/1/0428/7807/5036/files/74117277311.pdf
    • https://cdn.shopify.com/s/files/1/0430/6288/6554/files/66370378881.pdf
    • https://cdn.shopify.com/s/files/1/0431/8153/9483/files/31056877580.pdf
    • https://cdn.shopify.com/s/files/1/0428/7974/6201/files/zigibe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cbb.bin
06a098836c44a29468a519dc3923ad3c0eeb88dd93cdb8f66190a0151e1709c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CBB 4856 bytes
font_01_sfnt_off00007d41.bin
86f0287cbfd01c2440d79ced552bdb131286341ffa0fb2fa6572a6afdb7dcc64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D41 10476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.