Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ad3f44c112a36f1…

MALICIOUS

PDF

46.6 KB Created: 2020-08-08 04:07:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d6b0b7f669f25f5653e703a49598968 SHA-1: af49310930e65145f96c8538f4723cadea5790e3 SHA-256: 2ad3f44c112a36f1db3fb5fa87f964b59dd6290f51de8f255856b40f61375d81
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one critical link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/pify?keyword=ssc+stenographer+practice+book+pdf', which is identified as a malicious redirector. This suggests the PDF is designed to trick users into downloading malicious content by disguising it as a practice book.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ssc+stenographer+practice+book+pdf
    • http://files.dunhamlit.com/uploads/1/3/0/7/130776406/7ac5199f.pdf
    • http://files.charentemgowners.com/uploads/1/3/2/7/132710780/ea784b8a.pdf
    • http://files.alba-a-new-dawn.com/uploads/1/3/1/4/131408465/51099.pdf
    • https://cdn.shopify.com/s/files/1/0434/3591/7473/files/7308019501.pdf
    • https://cdn.shopify.com/s/files/1/0430/9866/9220/files/86144165628.pdf
    • https://cdn.shopify.com/s/files/1/0431/5516/1252/files/62249018179.pdf
    • https://cdn.shopify.com/s/files/1/0430/5915/1009/files/79950379905.pdf
    • https://cdn.shopify.com/s/files/1/0436/1977/8723/files/15177230659.pdf
    • https://cdn.shopify.com/s/files/1/0429/9220/5978/files/30728668425.pdf
    • https://cdn.shopify.com/s/files/1/0430/3391/9645/files/jivikojidugaligasole.pdf
    • https://cdn.shopify.com/s/files/1/0428/1679/8883/files/joxujorakezevogot.pdf
    • https://cdn.shopify.com/s/files/1/0428/2312/3100/files/laxikawigomajaju.pdf
    • https://cdn.shopify.com/s/files/1/0430/4227/5479/files/65408716783.pdf
    • https://cdn.shopify.com/s/files/1/0427/6636/8935/files/68197347673.pdf
    • https://cdn.shopify.com/s/files/1/0431/3281/3473/files/78825958730.pdf
    • https://cdn.shopify.com/s/files/1/0438/6055/7984/files/2575544315.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000692a.bin
a4891029ca5b45db585b877cbfacea5117653c0a747df834372ad1c56bbef987		 pdf-font-stream PDF embedded font (sfnt) at offset 0x692A 5692 bytes
font_01_sfnt_off00007c7d.bin
327b91be71201d380701f4cea79ba9d936eebc200f5310524c96bc32bc34e221		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C7D 15076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.