Malicious PDF — malware analysis report

Static analysis result for SHA-256 25fc29f693d17bb4…

MALICIOUS

PDF

37.0 KB Created: 2020-08-31 04:20:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93686b2a890ff3a06340f54b0a29ca10 SHA-1: 99fe3cf23e456c16686c946c7e152295e8f02e46 SHA-256: 25fc29f693d17bb47d9c47a0d76eb9e59a62468a0a5dbb5de50c48d866c41757
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm designed to distribute malicious content. One of the primary links, 'https://ttraff.ru/wix?keyword=kitten%2527+s+first+full+moon', is identified as a malicious redirector. The document body, though heavily obfuscated, contains this URL and a reference to 'Kitten's first full moon', suggesting a lure to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=kitten%2527+s+first+full+moon
    • https://cdn.shopify.com/s/files/1/0429/3489/4755/files/kitefefururomizekanawa.pdf
    • https://cdn.shopify.com/s/files/1/0430/9581/8404/files/calculus_grade_12.pdf
    • https://cdn.shopify.com/s/files/1/0432/8184/2341/files/wexomojipa.pdf
    • https://cdn.shopify.com/s/files/1/0434/6436/0100/files/simple_present_tense_rules.pdf
    • https://cdn.shopify.com/s/files/1/0432/0188/8416/files/tixuzitojamebaro.pdf
    • https://static.usrfiles.com/ugd/8b49c6_a7fa98e8d0bf4d469cab617821e9efbd.pdf
    • https://static.usrfiles.com/ugd/9cb927_1536eb5509e14df7a90f89f2c833b480.pdf
    • https://static.usrfiles.com/ugd/b8c837_e84c15c12f9e4d40a939c7ea81608acc.pdf
    • https://static.usrfiles.com/ugd/b8c837_58c7cd9e7fb84697a096215b1eac9c71.pdf
    • https://static.usrfiles.com/ugd/af0aa9_ffb9d9ee1f914692b07598d13c5327a8.pdf
    • https://static.usrfiles.com/ugd/41f880_214b72a131c44275acfbc33db7bdec46.pdf
    • https://static.usrfiles.com/ugd/b8c837_adcbfd0dd84c46919f0b95b7516ae856.pdf
    • https://static.usrfiles.com/ugd/4b874d_3eafec278f92422da1b97274c239151a.pdf
    • https://static.usrfiles.com/ugd/a382ee_ad9d4a67a5b441cb92256cdc3a50ee45.pdf
    • https://static.usrfiles.com/ugd/c3f88d_359b5dbf3394438ea464acf54d34abf6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000548a.bin
3fce4e596331868663e3c2621a272746f454c9416d438004e5d3e62276d3b5f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x548A 4708 bytes
font_01_sfnt_off00006481.bin
d832f2eaa810266d8d16c81b4091200f7db3c4a3b4cef44e46104a4823ccb02c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6481 10236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.