Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff8e3b5b334e1034…

MALICIOUS

PDF

42.7 KB Created: 2020-08-29 17:11:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 060f0ac0bb77146d1a509118fe6fc652 SHA-1: 2a4feec59f01769192c52f2aff6f7ede0fbd7faf SHA-256: ff8e3b5b334e1034812fe9cda03c9980061b95886b0db53ee5cb4e64b885e543
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, including one pointing to a known malicious redirector at `ttraff.ru`. The document body, though heavily obfuscated, contains text related to 'high yield biochemistry usmle step 1', suggesting a lure to disguise the malicious intent. The heuristic firings confirm the presence of malicious redirector links and a link farm, indicating a likely phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=high+yield+biochemistry+usmle+step+1
    • https://cdn.shopify.com/s/files/1/0432/4861/5579/files/90933251237.pdf
    • https://cdn.shopify.com/s/files/1/0432/7240/5157/files/kazebojawaketipasaz.pdf
    • https://cdn.shopify.com/s/files/1/0431/6862/8890/files/vasilaku.pdf
    • https://cdn.shopify.com/s/files/1/0439/0970/9976/files/20880658822.pdf
    • https://cdn.shopify.com/s/files/1/0433/7798/3653/files/27240953554.pdf
    • https://static.usrfiles.com/ugd/c7a620_c165dec738ec43cf938d412bc22ee578.pdf
    • https://static.usrfiles.com/ugd/73cb9e_98b04f0c82ce472abf1318eeea6cfaad.pdf
    • https://static.usrfiles.com/ugd/b8c837_95a5d429bed547079e7652ec8cd67749.pdf
    • https://static.usrfiles.com/ugd/b8c837_f34215f092ac48278fae250fb24fbc18.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc7314d89ecb4b708f05f87e66ad3582.pdf
    • https://cdn.shopify.com/s/files/1/0430/1104/7575/files/javascript_quick_reference.pdf
    • https://cdn.shopify.com/s/files/1/0431/6246/8516/files/callan_method_stage_2_download.pdf
    • https://static.usrfiles.com/ugd/cec570_42c8ad5017ed4249bf38b058748f5ede.pdf
    • https://static.usrfiles.com/ugd/b8c837_f7d06ffd7ee54146a207f73ea5f90603.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000681b.bin
2f7a801e0cc5fa68604b55bf5ca7da7e81829b11a1d5c87d8e309afda8ee01d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x681B 5532 bytes
font_01_sfnt_off00007acb.bin
67611e8d674db5649cf3539b95aefc2184cba9605c07f1c10dde65486c3538fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7ACB 10132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.