Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc33150c8989dffc…

MALICIOUS

PDF

40.7 KB Created: 2020-08-31 23:52:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9c53be97c12d4668bf5e57c75ba6612d SHA-1: 42f95f7d77be11c549f216f8a272e8742171460a SHA-256: fc33150c8989dffc58bec5b54b595e5fa575bb13cfa9526a32026780630b3f2e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. This URL is associated with a lure for 'advanced system repair pro full crack'. The file also exhibits characteristics of a PDF link farm, with numerous embedded links, many of which point to Shopify domains hosting other PDFs. The ML classifier strongly indicates maliciousness. The primary attack vector appears to be social engineering, directing users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=advanced+system+repair+pro+full+crack
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zipepatijexozuzazes.pdf
    • https://cdn.shopify.com/s/files/1/0429/3325/6345/files/35995680818.pdf
    • https://cdn.shopify.com/s/files/1/0440/1453/4806/files/punapovoluxosese.pdf
    • https://cdn.shopify.com/s/files/1/0431/8999/3621/files/john_deere_lt160_parts.pdf
    • https://cdn.shopify.com/s/files/1/0440/7630/2486/files/xirewivevimazelotanevagik.pdf
    • https://cdn.shopify.com/s/files/1/0428/5559/6198/files/75128320272.pdf
    • https://cdn.shopify.com/s/files/1/0431/7760/7324/files/klasifikasi_daun_binahong.pdf
    • https://cdn.shopify.com/s/files/1/0433/2827/4585/files/76302807358.pdf
    • https://static.usrfiles.com/ugd/6f53d7_3e7137f34ad040918855ef95ed56324f.pdf
    • https://static.usrfiles.com/ugd/b8c837_0456f83b53964426a41325bac41d8f95.pdf
    • https://static.usrfiles.com/ugd/b6bf5b_9570f0a840474e469b94bde832c5fee0.pdf
    • https://static.usrfiles.com/ugd/0cd019_a9c9f9a019c24755a5e03b65d56c95af.pdf
    • https://static.usrfiles.com/ugd/3eed2b_9cbc116963a04c409b10683dfa1e9645.pdf
    • https://static.usrfiles.com/ugd/b88e3d_55b63198aea9446891dcb0696aaa8911.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060e2.bin
a34bf1146cbdc4b3e168000a69be4c74a059261e60fc594e51f90987f6ee9149		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60E2 5516 bytes
font_01_sfnt_off0000739d.bin
19c7f391576ee8050f500925e58ed5a0714d4b52295a11a6ec47f7076651fd71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x739D 10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.