Malicious PDF — malware analysis report

Static analysis result for SHA-256 21364f85bd02cdea…

MALICIOUS

PDF

54.0 KB Created: 2020-08-09 11:22:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 692578b0c3d98d32d7c6d2ea88d1e6cd SHA-1: e4e955de5712629cc9a3b726cc838feafc714308 SHA-256: 21364f85bd02cdeadfdbe5797d4cc459b6ac389e08cbe81f52f70a9b09a28f5b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One of these links, https://ttraff.ru/pify?keyword=antigeno+helicobacter+pylori+en+heces+pdf, is identified as a malicious redirector. The document body, though heavily obfuscated, contains this same URL, suggesting it is the primary lure. The file's purpose is to redirect users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=antigeno+helicobacter+pylori+en+heces+pdf
    • http://files.ywamkaikoura.org/uploads/1/3/0/7/130740018/42111800.pdf
    • http://files.carolsullivanperkins.com/uploads/1/3/1/0/131071252/zusafilepege_katimoxugepiw.pdf
    • http://files.broadwaystreetwear.com/uploads/1/3/1/3/131383698/fd7b8897.pdf
    • http://files.janellrubyoga.com/uploads/1/3/0/7/130738614/juzonetajofopidez.pdf
    • https://cdn.shopify.com/s/files/1/0428/1552/0935/files/vuneb.pdf
    • https://cdn.shopify.com/s/files/1/0431/7069/3282/files/90530378827.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pafinekumukomotutawewokab.pdf
    • https://cdn.shopify.com/s/files/1/0433/2634/1272/files/59880771342.pdf
    • https://cdn.shopify.com/s/files/1/0434/6170/5888/files/7859631620.pdf
    • https://cdn.shopify.com/s/files/1/0432/5575/9011/files/8567344216.pdf
    • https://cdn.shopify.com/s/files/1/0434/0505/0021/files/33806601418.pdf
    • https://cdn.shopify.com/s/files/1/0431/9094/3901/files/mipoz.pdf
    • https://cdn.shopify.com/s/files/1/0428/5172/9574/files/lugafuxinoxi.pdf
    • https://cdn.shopify.com/s/files/1/0438/4574/6838/files/46673365864.pdf
    • https://cdn.shopify.com/s/files/1/0430/7812/3680/files/42684400036.pdf
    • https://medlineplus.gov/helicobacterpyloriinfections.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009380.bin
36bc667058f59be836228c9903e8e5d6ca1fef8030aac01f77dec74aec662e53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9380 5648 bytes
font_01_sfnt_off0000a6b5.bin
e80c8f6b36461e1a9ba8a7849a7fc7541d7f356c92132a5af7f2fad1383c2f12		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA6B5 10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.