Malicious PDF — malware analysis report

Static analysis result for SHA-256 2acbcb166961917d…

MALICIOUS

PDF

73.8 KB Created: 2020-08-07 15:08:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fa6a0658a27119fe0b4f61f54b57eef SHA-1: eb976ed41f330d30802f8bb82ec5a8f74e385bc6 SHA-256: 2acbcb166961917d9565d9c3d8c404748c4b882aac19db7b2079a503550d7d35
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with the primary redirector URL being https://ttraff.ru/pify?keyword=bloqueo+av+grados+pdf. This indicates a likely attempt at SEO poisoning or a phishing campaign by distributing numerous links to potentially malicious content. The document body itself is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bloqueo+av+grados+pdf
    • http://files.kencot.info/uploads/1/3/1/6/131637649/100a50638a5e3.pdf
    • http://files.createwithease.com/uploads/1/3/2/6/132682290/f796a44e3e.pdf
    • http://jutibano.radhikanagpal.org/uploads/1/3/1/1/131163635/nilepolax.pdf
    • http://files.classroomconversations.org/uploads/1/3/1/3/131379290/dajedixanibu.pdf
    • https://cdn.shopify.com/s/files/1/0435/1649/3976/files/a_carta_roubada_edgar_allan_poe_download.pdf
    • https://cdn.shopify.com/s/files/1/0427/4916/5734/files/42836141016.pdf
    • https://cdn.shopify.com/s/files/1/0431/7318/3643/files/vugaxixijavekejogix.pdf
    • https://cdn.shopify.com/s/files/1/0431/6702/3259/files/kipajida.pdf
    • https://cdn.shopify.com/s/files/1/0430/2661/2378/files/stored_procedure_in_sql_tutorial_for_beginners.pdf
    • https://cdn.shopify.com/s/files/1/0427/6633/6167/files/loneliroronevelamigiwowun.pdf
    • https://cdn.shopify.com/s/files/1/0433/7732/8278/files/core_java_black_book_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/4285/5319/files/kukiz.pdf
    • https://cdn.shopify.com/s/files/1/0433/8368/5274/files/radulirifujas.pdf
    • https://cdn.shopify.com/s/files/1/0431/3038/8642/files/menosulerus.pdf
    • https://cdn.shopify.com/s/files/1/0429/5576/7967/files/atmosphere_shift_chords.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0be.bin
8f598c4f59904dee2e8f41dfd1568906eb2e1a6a04b0bec96c84de4f67215883		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0BE 5444 bytes
font_01_sfnt_off0000f359.bin
3fca8de920094b87ad02a434e5ce5b7db97de04850c585ffaff0d2911b4482e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF359 11544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.