Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef875bc019e0f266…

MALICIOUS

PDF

38.3 KB Created: 2020-09-02 16:50:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1a4c9d7a110f0d3cbdac0b312e89f39 SHA-1: a4b1775f6b71c81880fbd07aca0be78e002f550b SHA-256: ef875bc019e0f2664d001b71aabc8cb15b18c5aff3b2a52616063a5f85a60bb4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL identified is ttraff.ru, which is used in conjunction with keywords suggesting a lure for popular media content. The document body, though heavily obfuscated, contains the malicious URL and keywords, reinforcing the social engineering aspect of this attack. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=elite+netflix+imdb+parents+guide
    • https://cdn.shopify.com/s/files/1/0428/6640/9638/files/78649311353.pdf
    • https://cdn.shopify.com/s/files/1/0461/5431/7987/files/ghost_rider_2_full_movie_in_hindi.pdf
    • https://cdn.shopify.com/s/files/1/0431/0764/7639/files/algebra_1_order_of_operations_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0434/7111/0308/files/63124073592.pdf
    • https://cdn.shopify.com/s/files/1/0432/8580/7268/files/28864611154.pdf
    • https://cdn.shopify.com/s/files/1/0437/7369/0017/files/jspdf_auto_table_npm.pdf
    • https://static.usrfiles.com/ugd/b8c837_cbb400a36ca84a078d6a91bcc7b9d5d6.pdf
    • https://static.usrfiles.com/ugd/e02969_022212862b5b451fb30b24d30e0b0fb3.pdf
    • https://static.usrfiles.com/ugd/e2c250_a12a9e46ffe94c739ab3f31db7d487c3.pdf
    • https://static.usrfiles.com/ugd/ef7486_f491b9d83a1c46f8aa77412658ac7ebf.pdf
    • https://static.usrfiles.com/ugd/3ed902_f7aafb691fd94315a0c4e76c3ace548c.pdf
    • https://static.usrfiles.com/ugd/33a16d_5ccb551e32704d7ca9b50f5fae54722c.pdf
    • https://static.usrfiles.com/ugd/b8c837_1f625cbcf4794ec5883a050d4165a7bc.pdf
    • https://static.usrfiles.com/ugd/21e6f2_756682f6dc58403d9332c4a15748a7cc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000577e.bin
efc17011fb552f7a26ab8f8dcaebdc3513a0ff427b645821380195b5bf8deb10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x577E 5524 bytes
font_01_sfnt_off00006a36.bin
327b166bdc27f43d686dfc27805efd5098e6c1b53769f3a9bfdb0011a7b36092		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A36 9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.