Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef6aae4718c8d3ca…

MALICIOUS

PDF

39.6 KB Created: 2020-09-23 02:15:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0364aa64d221872e04d7d39cbf3b1581 SHA-1: 04184eb584754bbc72d2c9858d35c42e35a30ea6 SHA-256: ef6aae4718c8d3ca252cad550a2571f808a996167c12d2ee016e7e20d30ff71e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass external link farm, with many links pointing to shopify.com domains, but the primary link directs to a known malicious redirector at ttraff.ru. This suggests the document is designed to lead users to malicious content or phishing sites. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=cthulhu+realms+manual+espa%25C3%25B1ol
    • http://files.oldmanmoney.com/uploads/1/3/1/3/131398406/3133492.pdf
    • http://files.floorcareandinterior.com/uploads/1/3/1/3/131379832/vexezexe-xitis-fesufurig-repipozubirewik.pdf
    • http://files.stpaulstroy.org/uploads/1/3/0/8/130814070/batufodedozidafozu.pdf
    • https://cdn.shopify.com/s/files/1/0432/8282/5371/files/calendar_june_2020_printable.pdf
    • https://cdn.shopify.com/s/files/1/0452/3845/2381/files/kirejaxodag.pdf
    • https://cdn.shopify.com/s/files/1/0432/0506/6907/files/35537083270.pdf
    • https://cdn.shopify.com/s/files/1/0428/5631/7091/files/22340157334.pdf
    • https://cdn.shopify.com/s/files/1/0434/0314/9462/files/dateline_on_own_episode_guide.pdf
    • https://bc951085-f91f-4e1c-b3e7-425e19d8c755.filesusr.com/ugd/dad7b5_ab901fd8a2c343ff8c6cddc26a35ca16.pdf?index=true
    • https://54ee15f2-1ae8-46ad-a116-88aa936f6f6a.filesusr.com/ugd/61567a_7ecb8ab768dc4e5b90b171d4fd7c1bf0.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/6130/4744/files/activity_series_problems_answers.pdf
    • https://cdn.shopify.com/s/files/1/0478/9872/2470/files/subordinating_conjunctions_worksheet_5th_grade.pdf
    • https://cdn.shopify.com/s/files/1/0431/5276/9192/files/82342394559.pdf
    • https://cdn.shopify.com/s/files/1/0432/0280/5921/files/wifuzasebevudoniwurajime.pdf
    • https://cdn.shopify.com/s/files/1/0435/2465/3224/files/80838192497.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c2e.bin
00f3f8f14d77d6e670ecb9a0d8ebe6827d510b7f08ccbf685cfe3deb2c2125b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C2E 5176 bytes
font_01_sfnt_off00006d4c.bin
409fd5fe055e76e36edcd6cc46fd37681ffa59e50f2e7bbb90ac2b26dd363ed4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D4C 10064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.