Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6b877357ba37737…

MALICIOUS

PDF

37.4 KB Created: 2020-08-22 11:17:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 98a874fb2615fe0ca7ec73d051ea359b SHA-1: ce206ac6f4b3201ad9b498cb2f1ac09a1e8b3ea5 SHA-256: e6b877357ba377374ca35f9e1e5a24be29063df53f24b875a21ca74c734bdda6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing malicious redirector links and a large link farm. The embedded links, including the one to 'ttraff.ru', are likely intended to lead users to malicious sites. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the sheer volume of links suggests a delivery mechanism for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=odia+movie+song++audio
    • http://files.adflixmanila.com/uploads/1/3/0/9/130969211/862fda27a9f2b0.pdf
    • http://files.vespatechrobotics.com/uploads/1/3/2/7/132712127/3799405.pdf
    • https://cdn.shopify.com/s/files/1/0433/2896/2715/files/jafuwesefivapaji.pdf
    • https://cdn.shopify.com/s/files/1/0464/6656/4254/files/abduction_2002_font_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/5455/4533/files/najatawuxomogo.pdf
    • https://cdn.shopify.com/s/files/1/0441/0179/5992/files/pink_floyd_bootlegs.pdf
    • https://cdn.shopify.com/s/files/1/0434/5331/7272/files/14438872983.pdf
    • https://cdn.shopify.com/s/files/1/0429/4826/4089/files/69041388389.pdf
    • https://cdn.shopify.com/s/files/1/0436/6788/2134/files/buneporisitarapabemi.pdf
    • https://cdn.shopify.com/s/files/1/0427/8494/8380/files/10857267053.pdf
    • https://cdn.shopify.com/s/files/1/0448/1007/6322/files/87060644981.pdf
    • https://cdn.shopify.com/s/files/1/0437/7473/8593/files/butuxavudajawaramuko.pdf
    • https://cdn.shopify.com/s/files/1/0430/6737/5770/files/4815550468.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053ed.bin
e8f17a38f53ef95522d0acf5c2394f5f46f8a37c7ef88595c7026d1a5f3d8108		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53ED 5104 bytes
font_01_sfnt_off0000654a.bin
90423af2d36500868fb35f15d83d34113014b1dc93a2d9c3a5b2d54d2e87ed95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x654A 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.