Malicious PDF — malware analysis report

Static analysis result for SHA-256 2328c1b9e1947423…

MALICIOUS

PDF

57.2 KB Created: 2020-08-30 07:55:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 591f01fc2c7055d91b0a2c7d1f829d1e SHA-1: 9a736fef374e68c8fa363c939af576d16ace03a8 SHA-256: 2328c1b9e1947423664dbde5b5f2d90d16fea36513b2e2d0a2967a1126249f9a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=critical+values+of+chi+square+distribution+table'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many of which point to Shopify domains. The document body, though heavily obfuscated, contains the same redirector URL. The primary attack pattern involves luring the user to this malicious URL, which likely serves as a gateway for further malicious activity.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=critical+values+of+chi+square+distribution+table
    • https://cdn.shopify.com/s/files/1/0433/5340/7646/files/teacher_guide_grade_9.pdf
    • https://cdn.shopify.com/s/files/1/0428/7230/7875/files/77383654599.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/febipak.pdf
    • https://static.usrfiles.com/ugd/b8c837_3f6e0a5b89b14037a7c44b6d91043543.pdf
    • https://cdn.shopify.com/s/files/1/0431/7567/4014/files/93988440145.pdf
    • https://cdn.shopify.com/s/files/1/0429/3050/3846/files/12012310812.pdf
    • https://cdn.shopify.com/s/files/1/0462/4180/8535/files/82425654914.pdf
    • https://cdn.shopify.com/s/files/1/0436/5929/6926/files/wotlk_demonology_warlock_pve_guide.pdf
    • https://cdn.shopify.com/s/files/1/0458/3089/7827/files/glitter_foam_sheets_walmart.pdf
    • https://cdn.shopify.com/s/files/1/0432/6414/7609/files/mogajarakadodu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a039.bin
52863482991b265ef1c5fc72314f727a920a29dc62847e94e1e2032ec7259ea6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA039 5340 bytes
font_01_sfnt_off0000b251.bin
275ee6181e0c8d5d30f32a71386d43ba56630d1f96f4620505c023b851b8d01f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB251 11164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.