Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3f2e633e3122277…

MALICIOUS

PDF

46.8 KB Created: 2020-08-31 11:58:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a835dcb41ffb954e93f02e0f2323183 SHA-1: 68b808c42fbaabe4b6687d9653def07381506141 SHA-256: e3f2e633e31222773c535bd1179188759b0bfe3014aab288351eef64024ade5b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged as malicious by a machine learning classifier and contains a large number of embedded links. One of these links, https://ttraff.ru/wix?keyword=magic+elder+scrolls, points to known malicious redirector infrastructure. The document body appears to be heavily obfuscated or corrupted, but the presence of numerous links suggests an attempt to manipulate search engine results or redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=magic+elder+scrolls
    • https://cdn.shopify.com/s/files/1/0439/1570/6523/files/sql_server_code_formatter_online.pdf
    • https://cdn.shopify.com/s/files/1/0429/2080/4518/files/microsoft_word_liability_waiver_template.pdf
    • https://cdn.shopify.com/s/files/1/0434/5603/7016/files/96488405984.pdf
    • https://static.usrfiles.com/ugd/b8c837_56a55d44d62a4731ad5ed01b4f256b52.pdf
    • https://static.usrfiles.com/ugd/3fc21f_39e93b139bcf4c6d8d148579d3018419.pdf
    • https://static.usrfiles.com/ugd/9374a7_34bf888d0373418597d1c145933cc27d.pdf
    • https://static.usrfiles.com/ugd/cc15ef_8bc6dbeaac1e4f45a73f062c0ff025dc.pdf
    • https://static.usrfiles.com/ugd/bd5c68_14d0baa41c6c43129e02ec69b22bc39f.pdf
    • https://static.usrfiles.com/ugd/b7306e_1b000e09b71a4707bb9166f3f8223cf9.pdf
    • https://static.usrfiles.com/ugd/7603ae_545c28e111154d73b91c3f65ad591d52.pdf
    • https://static.usrfiles.com/ugd/1cfe37_e5bab28e7c4045639f01d860329e74e1.pdf
    • https://static.usrfiles.com/ugd/01e791_44aa5db3f10a4085b81b7b6ef862495b.pdf
    • https://static.usrfiles.com/ugd/b8c837_4180453556b74d8f9be19202241c0252.pdf
    • https://static.usrfiles.com/ugd/b8c837_6f20a658b6594a728d1e632be534843f.pdf
    • https://static.usrfiles.com/ugd/b8c837_adfb1b6250b140beb8148a32c6d4510e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079ed.bin
cb2906a78349283e8464d4ef9e01ba9852c9669205c8c5a68972c32c97cdb579		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79ED 5112 bytes
font_01_sfnt_off00008b58.bin
072b8f4d3ed472e1d612dcd98ce271b9cc86788a3ba896fa1cc88c4734a64e23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B58 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.