Malicious PDF — malware analysis report

Static analysis result for SHA-256 f47c62cb67814246…

MALICIOUS

PDF

47.1 KB Created: 2020-08-31 05:46:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b42352cfde1407458b4b009b1d46c63b SHA-1: b135ff8c3ffd58f2862f308b67e865b512ba2d3d SHA-256: f47c62cb6781424694402448785c94afbe3c28cbf1318d2622ca1c5735b91b83
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple critical heuristics for containing a malicious redirector link and a large link farm. The primary malicious URL identified is https://ttraff.ru/wix?keyword=principios+de+operaciones+unitarias+foust, which is likely used to redirect users to a malicious site. The document body contains a large number of embedded URLs, contributing to the link farm heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=principios+de+operaciones+unitarias+foust
    • https://static.usrfiles.com/ugd/0d089b_031894e3c54a4bf3ab5e291d2f0991d7.pdf
    • https://static.usrfiles.com/ugd/b8c837_6ec1d9ee7eac4a38b0657e0d1540be51.pdf
    • https://static.usrfiles.com/ugd/ca300b_84b771b171084066967218cdf1b631a2.pdf
    • https://static.usrfiles.com/ugd/cc14e4_c55de1642786419d8680e4ea43a12938.pdf
    • https://cdn.shopify.com/s/files/1/0427/4959/1718/files/xazipezi.pdf
    • https://cdn.shopify.com/s/files/1/0429/6815/4278/files/valitefefagi.pdf
    • https://cdn.shopify.com/s/files/1/0435/5863/3631/files/kuta_software_infinite_algebra_1.pdf
    • https://cdn.shopify.com/s/files/1/0466/7490/3205/files/fakuvowujojek.pdf
    • https://static.usrfiles.com/ugd/2b25b5_f0c396e960514d5499a8155f4775bdb9.pdf
    • https://static.usrfiles.com/ugd/b8c837_12e2901ca1c145948045ab55253cd9b9.pdf
    • https://static.usrfiles.com/ugd/6116da_024693d09c1e4fdd873184e44a08d931.pdf
    • https://static.usrfiles.com/ugd/8b49c6_1453bb0af6464354996e26e6b0975d98.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000622c.bin
d080f092faf8a8f700809f574c724bd85eb61b0d38901eb685637b0059736c94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x622C 3212 bytes
font_01_sfnt_off00006dac.bin
28fcd6970b3e15c1d8b53079a2407a98aeeb85a4f1de3071b2acc5c6efbe6d4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DAC 5116 bytes
font_02_sfnt_off00007f15.bin
e209b417a5fa922ea8eeec6e7c75b4f0e8b8aa3779bcb7b1a42091546a6149fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F15 14700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.