Malicious PDF — malware analysis report

Static analysis result for SHA-256 2428f617c76b7dd9…

MALICIOUS

PDF

36.5 KB Created: 2020-08-17 05:09:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 778f20c6db5e7cfb5c46933920f96b7d SHA-1: 73351a3f7f4570e2a06c40f2154ff227c106521d SHA-256: 2428f617c76b7dd9f44626edfd90e934fef1b02ffebb0fa59d1e86cc88eb37c9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to `https://ttraff.ru/pify?keyword=ayo+and+teo+dance+videos`. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on `cdn.shopify.com`. The document body, though heavily obfuscated, contains the same malicious URL and several other Shopify-hosted PDF links, suggesting a coordinated effort to distribute malicious content. The primary intent appears to be redirecting users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ayo+and+teo+dance+videos
    • http://files.feltunik.com/uploads/1/3/0/8/130874403/ramese.pdf
    • https://cdn.shopify.com/s/files/1/0431/5863/4658/files/fodunonetudeziwumujapuzod.pdf
    • https://cdn.shopify.com/s/files/1/0428/8184/3356/files/sagifenanevunowimedize.pdf
    • https://cdn.shopify.com/s/files/1/0439/3864/4123/files/25827406097.pdf
    • https://cdn.shopify.com/s/files/1/0434/5066/3062/files/60922656683.pdf
    • https://cdn.shopify.com/s/files/1/0439/0469/6472/files/gunezixasitibapefakeb.pdf
    • https://cdn.shopify.com/s/files/1/0430/4017/8333/files/dofujufuroxer.pdf
    • https://cdn.shopify.com/s/files/1/0435/9415/4146/files/druid_leveling_guide_5e.pdf
    • https://cdn.shopify.com/s/files/1/0437/3348/3674/files/47901726769.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gopag.pdf
    • https://cdn.shopify.com/s/files/1/0430/8631/5671/files/95176855813.pdf
    • https://cdn.shopify.com/s/files/1/0438/8651/0232/files/votupaliravotabe.pdf
    • https://cdn.shopify.com/s/files/1/0436/1030/8765/files/sopirifebiwebisaf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004466.bin
40dc86981fb97b8700d6ee007e03a5c801bad291c5436a473f18d41edebbabb5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4466 4956 bytes
font_01_sfnt_off00005558.bin
63e783c03da57879afb775159473c506eb962ef38e1d93fd37c9511de6b0a0ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5558 2132 bytes
font_02_sfnt_off00005f15.bin
f0d820dbebdb930e6aeb2572b5a0af66023e6ccff18aa72513fbfc2ef60ec9b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F15 11168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.