Malicious PDF — malware analysis report

Static analysis result for SHA-256 29d97606570a536a…

MALICIOUS

PDF

44.2 KB Created: 2020-08-02 20:05:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68812976e4aa9a1dd507e11eaf57c627 SHA-1: d5ef5238f732a5fbac168925ad5bee56b578969c SHA-256: 29d97606570a536ad9ace70604ada07c0c603df952513d5af052e5e212430fa5
200 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1204.001 User Execution: Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is used to host further malicious content. The document body, though heavily obfuscated, contains references to commands and URLs consistent with social engineering lures. Heuristics indicate the document attempts to trick the user into executing commands directly via the clipboard or by pasting into a terminal, a technique often seen in ClickFix attacks. The primary malicious IOC is the redirector URL.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=emulate+raspberry+pi+mac
    • http://files.bughunters.eu/uploads/1/3/2/7/132740435/6391974.pdf
    • http://files.awanatuhealing.co.za/uploads/1/3/0/7/130776592/8d012cbc.pdf
    • http://files.autumntheodorephotography.com/uploads/1/3/1/4/131454482/d2de4ab1010325a.pdf
    • http://files.perthtamilchurch.com/uploads/1/3/1/4/131437535/sevisuduradi.pdf
    • https://cdn.shopify.com/s/files/1/0433/4642/8072/files/32253977522.pdf
    • https://cdn.shopify.com/s/files/1/0434/4646/8769/files/83781168847.pdf
    • https://cdn.shopify.com/s/files/1/0435/3887/4532/files/2568578486.pdf
    • https://cdn.shopify.com/s/files/1/0430/5249/9095/files/22434326577.pdf
    • https://cdn.shopify.com/s/files/1/0432/1935/3757/files/vodidetog.pdf
    • https://cdn.shopify.com/s/files/1/0431/4556/0219/files/wupaduwukonetu.pdf
    • https://cdn.shopify.com/s/files/1/0431/2032/8853/files/tigagavonazesul.pdf
    • https://cdn.shopify.com/s/files/1/0435/4772/1882/files/nozovepunaludobelos.pdf
    • https://cdn.shopify.com/s/files/1/0430/3064/2837/files/pebazomujedu.pdf
    • https://cdn.shopify.com/s/files/1/0434/6282/0005/files/40868792366.pdf
    • https://cdn.shopify.com/s/files/1/0428/9229/6359/files/programmable_logic_controllers_fourth_edition_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0439/0017/4504/files/somisufeto.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006453.bin
8e8a460d08f5426f50c7872c2788757b772a5f28bced65597b78082eda419964		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6453 5276 bytes
font_01_sfnt_off0000762c.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x762C 1800 bytes
font_02_sfnt_off00007eb9.bin
225be97a3d38daf66d0de0d4a9ae89e8db71fdc91dbbc17c0b3abe174d5075df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EB9 10816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.