Malicious PDF — malware analysis report

Static analysis result for SHA-256 25b3be6097d977ab…

MALICIOUS

PDF

39.1 KB Created: 2020-08-24 00:13:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5d9cbf2bce56d9d97dbd607ef8587a04 SHA-1: 7d8a1f043b47611aecc8407dc84503de14edc8b8 SHA-256: 25b3be6097d977ab22d4b6d94007729f40cae31f8bacb2fa05dba82036f2ca84
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to PDF files hosted on Shopify. One of these links, however, redirects to a known malicious domain (ttraff.ru). This suggests a link farm or redirection tactic designed to obscure the final malicious destination. The presence of numerous benign-looking PDF links alongside the malicious one is a common technique to lower suspicion.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=send+email+html+format+c%2523
    • http://files.highlandmillsumc.com/uploads/1/3/1/8/131871605/bisumatekasi.pdf
    • https://cdn.shopify.com/s/files/1/0437/7798/2626/files/lawarebawomewoludu.pdf
    • https://cdn.shopify.com/s/files/1/0431/7957/3414/files/67655625574.pdf
    • https://cdn.shopify.com/s/files/1/0437/4455/9258/files/standard_cabinet_dimensions.pdf
    • https://cdn.shopify.com/s/files/1/0431/8360/3873/files/73090648929.pdf
    • https://cdn.shopify.com/s/files/1/0437/2050/7544/files/barristers_chambers_limited_annual_report.pdf
    • https://cdn.shopify.com/s/files/1/0440/9524/2392/files/financial_accounting_and_reporting_18th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0437/1290/5370/files/tinyumbrella_java._lang._nullpointerexception_windows.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/99914628395.pdf
    • https://cdn.shopify.com/s/files/1/0432/9160/7190/files/key_cirriculum_press.pdf
    • https://cdn.shopify.com/s/files/1/0433/3358/2998/files/97851715296.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000055bb.bin
6713cd965b7f56271c662532a5b20f255d8ae3e879cc6fb2b0f78a29dead588e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55BB 5188 bytes
font_01_sfnt_off00006727.bin
4fad71819a1ab97b0ce0cda0590c17ec78d004751ce8f463f5c80d8bfb3fd1d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6727 12904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.