Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f37839a1cea6fc6…

MALICIOUS

PDF

39.7 KB Created: 2020-08-30 04:20:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5d4086d9e3e6f4ebc00b9a80d855e209 SHA-1: 0e27df7542ca0c1b66c6984fdc30799f9b8197a3 SHA-256: 1f37839a1cea6fc698efe8ffc0670311f3949af6d3fa9c669eb37c22893888d2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector. The document body, though partially corrupted, includes the text 'How to measure cloud cover' and the malicious URL, suggesting a lure. The primary malicious URL is 'https://ttraff.ru/wix?keyword=how+to+measure+cloud+cover', which is likely used to redirect the user to a further malicious destination. The presence of many links, including to Shopify, suggests a link farm or SEO poisoning tactic to increase visibility.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=how+to+measure+cloud+cover
    • https://cdn.shopify.com/s/files/1/0431/0587/8170/files/58268545417.pdf
    • https://cdn.shopify.com/s/files/1/0432/3219/8816/files/xaziwivunojabojagixofinip.pdf
    • https://cdn.shopify.com/s/files/1/0431/8894/5064/files/focus_collier_county.pdf
    • https://cdn.shopify.com/s/files/1/0433/1975/4907/files/dilejev.pdf
    • https://cdn.shopify.com/s/files/1/0432/4818/9603/files/action_verb_worksheets_for_kindergarten.pdf
    • https://cdn.shopify.com/s/files/1/0438/4007/7981/files/charters_school_sixth_form_open_day.pdf
    • https://cdn.shopify.com/s/files/1/0431/4100/5480/files/83625648740.pdf
    • https://cdn.shopify.com/s/files/1/0434/3365/6476/files/possessive_pronouns_worksheet_with_answer_key.pdf
    • https://static.usrfiles.com/ugd/b8c837_0048c07d6de746819895bb2a129e6ea6.pdf
    • https://static.usrfiles.com/ugd/93c935_0a3310849be74a0eb2ae510c6394ccff.pdf
    • https://static.usrfiles.com/ugd/286fb8_a1d5dd3ade5c479cb594621a1f619790.pdf
    • https://static.usrfiles.com/ugd/4bdc6d_f5b2f75458074564b2cd1a5de066eb40.pdf
    • https://static.usrfiles.com/ugd/b8c837_7e14e11f8f12494caa97b635a78dc641.pdf
    • https://static.usrfiles.com/ugd/b8c837_436d222b5ad2406e8b732ce8670b9841.pdf
    • https://static.usrfiles.com/ugd/b8c837_b0ad4987847744cd9d878a83d8b35a12.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e33.bin
e25b8299867766129ff6ac273e14da3d9749b9451c82264e2f4970898b9e762e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E33 5196 bytes
font_01_sfnt_off00006fd6.bin
dd80d786ce5511341a1a80eb3a19d2763efb3f30f3dc181622cb1d2f15767d7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FD6 10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.