Malicious PDF — malware analysis report

Static analysis result for SHA-256 22826718b80ce293…

MALICIOUS

PDF

44.6 KB Created: 2020-08-14 00:18:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8dc800622bb125c4926a6d2ee2e2c0c2 SHA-1: aaf627692c246a36fb2e1212cef3d701b71948d5 SHA-256: 22826718b80ce29348e5e051c1b765ab28c4c7c31ea61b426aa37e39169e9dea
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of embedded links, with one heuristic specifically identifying it as a PDF link farm. The primary URL, 'https://ttraff.ru/pify?keyword=tyvek+groundsheet+nz', is flagged as a malicious redirector. While no scripts were extracted, the sheer volume of links and the malicious redirector suggest an attempt to lure users to harmful content or manipulate search engine results.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=tyvek+groundsheet+nz
    • http://files.goldenpointpartners.com/uploads/1/3/0/9/130969176/ximupisaxitomabu.pdf
    • http://files.accesevaluation.com/uploads/1/3/2/8/132814949/4062946.pdf
    • http://files.southshorecruisingclub.com/uploads/1/3/1/3/131384113/sopajunawup.pdf
    • http://files.richelleputnam.net/uploads/1/3/2/6/132681992/e48d8c6fc2e.pdf
    • https://cdn.shopify.com/s/files/1/0444/0332/7142/files/general_structure_of_virus.pdf
    • https://cdn.shopify.com/s/files/1/0431/7465/8216/files/xogowem.pdf
    • https://cdn.shopify.com/s/files/1/0437/8905/8206/files/29804143400.pdf
    • https://cdn.shopify.com/s/files/1/0438/2159/6834/files/random_ship_name_generator.pdf
    • https://cdn.shopify.com/s/files/1/0429/5458/8316/files/signs_and_symptoms_of_alcoholism.pdf
    • https://cdn.shopify.com/s/files/1/0429/1824/8601/files/90564416985.pdf
    • https://cdn.shopify.com/s/files/1/0433/3928/4645/files/24313783683.pdf
    • https://cdn.shopify.com/s/files/1/0433/5622/5686/files/busunolevomimatadoxate.pdf
    • https://cdn.shopify.com/s/files/1/0453/4956/8667/files/25533419940.pdf
    • https://cdn.shopify.com/s/files/1/0433/3407/4523/files/69565814886.pdf
    • https://cdn.shopify.com/s/files/1/0431/5850/3590/files/lifupivuwoxanepapa.pdf
    • https://cdn.shopify.com/s/files/1/0435/2992/8872/files/engineering_drawing_basics_questions.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006eb2.bin
9d6fa176ec06f6a89c92a2dcae0a9e5d54d67ea5002fa2525b0c96419995b014		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EB2 5068 bytes
font_01_sfnt_off00008006.bin
048fcd5b4df626a98123bd1466992d35c01cc96859260ce60bdec620abb4e20c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8006 10592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.