Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6776292037ea429…

MALICIOUS

PDF

43.6 KB Created: 2020-09-01 09:50:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 073e5008bf41e8476c4300cbedd3af64 SHA-1: ff162c3f5f927968100ea62e805d2fedf5ffefaf SHA-256: e6776292037ea4291f20d31ce90e286cc179fbfe9adb92e8788fcf1be13ec15e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, a common tactic for SEO poisoning and redirecting users to malicious sites. One prominent link, 'https://ttraff.ru/wix?keyword=desktop+background+clock+free', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this URL and references to 'desktop background clock free', suggesting a lure to trick users into clicking the malicious link. The presence of a large number of external PDF links further supports the SEO poisoning attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=desktop+background+clock+free
    • https://static.usrfiles.com/ugd/a107db_195b3e3e18114d38a4ae91bc581074c3.pdf
    • https://static.usrfiles.com/ugd/98857b_79e80092f75f4d12abf90d5716ceb558.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc13062ab3af41b8a6908588ae83e9a5.pdf
    • https://static.usrfiles.com/ugd/1decf9_4db8c5b947e04043bed4dbde3ab0f9d9.pdf
    • https://static.usrfiles.com/ugd/49be48_cbcdb77b804143029b04e5383c8aea11.pdf
    • https://static.usrfiles.com/ugd/f0e51d_a1585a18160244d5813e9a6ed41b9181.pdf
    • https://static.usrfiles.com/ugd/b8c837_68914df9eb4a44ecb18c928ff4647439.pdf
    • https://static.usrfiles.com/ugd/cb4a18_be617f3ba47744acbedc4c1e8264d230.pdf
    • https://static.usrfiles.com/ugd/b8c837_ee07d8dff7c54610bdfb3dfd0d904837.pdf
    • https://static.usrfiles.com/ugd/6cf392_2790e93fccf6431db8d63f1ebcda5b18.pdf
    • https://static.usrfiles.com/ugd/b8c837_85d4b6f958204b24b3f2a9278f2e0a7a.pdf
    • https://static.usrfiles.com/ugd/b8c837_449b2338c7df4bd79634cab84a69969d.pdf
    • https://static.usrfiles.com/ugd/6df952_03a836dcc978414ea5b36ee644ad5395.pdf
    • https://static.usrfiles.com/ugd/b8c837_157440d2edae43d6b7bdffdd7c5d561d.pdf
    • https://static.usrfiles.com/ugd/b8c837_f5c39ae288aa48338b4977a89dcd2e02.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d28.bin
2718d0a1c9dfe32a540c2fe3bfe8348e85d774d0adb5d420b65b0e0438e7a5fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D28 5524 bytes
font_01_sfnt_off00007ffe.bin
93d1b4bc2fcfa3aa3038dbd7932083510be59897154445746d0536ea9bffe182		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FFE 9932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.