Malicious PDF — malware analysis report

Static analysis result for SHA-256 29773a582060a2f8…

MALICIOUS

PDF

51.4 KB Created: 2020-08-06 17:09:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b53505f8baec536ee91d1536ab1ad9c SHA-1: c4d2427b2d916487231fa21e53b344482adfcbfc SHA-256: 29773a582060a2f8742092362cbfd978d54e82fa414dbe51b2ef44aac01dbabf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector at 'https://ttraff.ru/wb?keyword=overactive%20bladder%20training%20pdf'. This suggests a phishing or scam attempt, leveraging a seemingly innocuous document topic to drive traffic to malicious infrastructure. The file's structure and the presence of many external links indicate it's part of a link farm designed for SEO manipulation or to distribute malware indirectly. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=overactive%20bladder%20training%20pdf
    • http://files.thijmendoornik.com/uploads/1/3/1/8/131871633/bobuxinarepesi_dadax_wewoxepa.pdf
    • http://files.madamejohanna.com/uploads/1/3/1/4/131453065/widaxa.pdf
    • http://files.mobiledetailinglasvegas.com/uploads/1/3/0/8/130815381/gaxuvigupijux_xolegomabum_soxalixesixef_gopuk.pdf
    • http://files.tamarahaddonart.com/uploads/1/3/2/6/132681513/ruziziwaluzurut_juniwapakenog.pdf
    • http://files.justonlyjenn.com/uploads/1/3/2/8/132816042/0ff36e62482bf4b.pdf
    • https://cdn.shopify.com/s/files/1/0427/7141/5196/files/61405838813.pdf
    • https://cdn.shopify.com/s/files/1/0434/5040/0928/files/nfl_spielplan_2020_18.pdf
    • https://cdn.shopify.com/s/files/1/0437/5658/5121/files/surosenarubotat.pdf
    • https://cdn.shopify.com/s/files/1/0428/6670/4550/files/the_lonely_island_songs.pdf
    • https://cdn.shopify.com/s/files/1/0432/3049/4878/files/lugerup.pdf
    • https://cdn.shopify.com/s/files/1/0437/7047/8746/files/36472294579.pdf
    • https://cdn.shopify.com/s/files/1/0428/3580/4319/files/daxiwozovujuji.pdf
    • https://cdn.shopify.com/s/files/1/0432/4114/4483/files/34155517267.pdf
    • https://cdn.shopify.com/s/files/1/0435/2730/7416/files/37186840485.pdf
    • https://cdn.shopify.com/s/files/1/0429/9027/2675/files/rutinas_calistenia_principiantes.pdf
    • https://cdn.shopify.com/s/files/1/0430/3667/2162/files/nonaxunujedafewatid.pdf
    • https://cdn.shopify.com/s/files/1/0435/7062/6723/files/15704436269.pdf
    • https://cdn.shopify.com/s/files/1/0434/3280/4504/files/pukivelufedubareselasulel.pdf
    • https://cdn.shopify.com/s/files/1/0429/6310/8003/files/zudinowuro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007f3e.bin
de3d7d3cabb99f6b90d41f18a9e31c3f8c2ebc587fb00be7bffc75e9a4341221		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F3E 5048 bytes
font_01_sfnt_off00009079.bin
9b8e18a2222bd96f60692aa58c96aa1811fda28b7eb8272b4c3567af1ba055bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9079 9740 bytes
font_02_sfnt_off0000b1d2.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1D2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.