Malicious PDF — malware analysis report

Static analysis result for SHA-256 eab780e5bf0048cc…

MALICIOUS

PDF

48.7 KB Created: 2020-09-16 23:08:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 03eae0f13cd5b35cd7f4212877352e2e SHA-1: e0259a7ebcb904831a3b44b9a24af5d13e5e350e SHA-256: eab780e5bf0048cc04c72a4069cfa23d0725b8c6e57e9f4a89195ff9bad15c4f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by a machine learning classifier and contains a critical heuristic indicating it's a redirector link. The primary URL, https://ttraff.ru/wix?keyword=preparatorias+abiertas+en+tijuana+incorporadas+ala+sep, is associated with known malicious infrastructure. Additionally, the PDF exhibits characteristics of a link farm, embedding numerous external links, with https://cdn.shopify.com/s/files/1/0435/0813/8150/files/zudov.pdf being the first listed. This suggests a coordinated effort to distribute malicious content or phish users.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=preparatorias+abiertas+en+tijuana+incorporadas+ala+sep
    • http://files.heililowman.com/uploads/1/3/0/7/130775403/kidamafetibuwazaloj.pdf
    • http://razepoki.elizabethlaude.com/uploads/1/3/1/3/131380429/1766588.pdf
    • http://webed.moodyplumbinginc.com/uploads/1/3/1/4/131438044/3458667.pdf
    • http://zabudo.governmentjobs.org/uploads/1/3/0/7/130740450/a4c4ae1f5af4.pdf
    • http://fipewima.myrabbisings.com/uploads/1/3/1/3/131384401/gakos.pdf
    • http://kedobinov.windycrestdesign.com/uploads/1/3/1/4/131407511/gevejuluvumibefog.pdf
    • http://wijin.lbivens.net/uploads/1/3/0/7/130739777/2c62941d.pdf
    • https://cdn.shopify.com/s/files/1/0435/0813/8150/files/zudov.pdf
    • https://cdn.shopify.com/s/files/1/0434/2143/4023/files/the_testaments_atwood_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/1364/3167/files/navokipadasepekax.pdf
    • https://cdn.shopify.com/s/files/1/0435/7157/6993/files/where_to_find_lead_deposits_in_subnautica.pdf
    • https://cdn.shopify.com/s/files/1/0436/0352/5790/files/31245986379.pdf
    • https://590879d8-4a6e-464d-aacb-5d32f7452525.filesusr.com/ugd/e49726_3ed22430aa5c482bb1d2cc41211e22f2.pdf?index=true
    • https://96d7ee87-4cee-418b-a493-923be92ce0cd.filesusr.com/ugd/96768c_622ee225016140e287bbb7a6c5fcdeba.pdf?index=true
    • https://9bcc4dec-c201-42dc-9771-af79c45e28b8.filesusr.com/ugd/9f06f8_0999615163d34bc5ac75752843eeb6bf.pdf?index=true
    • https://51500f8b-fdd3-4b0d-b921-f3417294e90d.filesusr.com/ugd/03ae60_aeaa6e5c567e4bd59ed177585cccf1fe.pdf?index=true
    • https://cb98355b-4a20-45e5-89b3-b95a193dfc35.filesusr.com/ugd/e32576_08951fbea8fc4728945f4338327704d6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cb98355b-4a20-45e5-89b3-b95a193dfc35.filesusr.com/ugd/e32576_08951fbea8fc472894

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007311.bin
bfd04290e8da35e01a90e82f638099bafe864e163630a6ecb470dc77ea02ffec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7311 5284 bytes
font_01_sfnt_off0000850f.bin
e3ce0fe63ce330e095a66ad38c521b4c9d662e91efbb0856be12a04269f269c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x850F 16280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.