Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ba3a256b34614c0…

MALICIOUS

PDF

48.0 KB Created: 2020-08-02 10:30:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 507f40c6ddffefecb24173a642b81c9f SHA-1: 6627656517fb6f54d165b9ee83d38f7c41d54187 SHA-256: 2ba3a256b34614c0681aa9e555208540ebeee50d72128a0d4b02567381a6d828
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on Shopify. One of the primary links redirects to a known malicious domain, ttraff.ru, which is likely used for phishing or malware distribution. The document body, though heavily obfuscated, contains the target URL, suggesting the document's purpose is to redirect the user to malicious content under the guise of providing information about a MATLAB function.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=matlab+linspace+function
    • http://files.joeyboos.com/uploads/1/3/1/4/131411596/wamimimonozuko-zopap.pdf
    • http://files.cloudcity.site/uploads/1/3/1/3/131383651/veziduvalamozowij.pdf
    • http://files.prettyandpinned.com/uploads/1/3/0/7/130739119/8955008.pdf
    • https://cdn.shopify.com/s/files/1/0440/5755/9190/files/18057603450.pdf
    • https://cdn.shopify.com/s/files/1/0429/9161/6153/files/97473048867.pdf
    • https://cdn.shopify.com/s/files/1/0427/3248/6823/files/47691741233.pdf
    • https://cdn.shopify.com/s/files/1/0430/0832/7829/files/zoxutapevuzuz.pdf
    • https://cdn.shopify.com/s/files/1/0432/7034/0772/files/19145813151.pdf
    • https://cdn.shopify.com/s/files/1/0438/1658/3325/files/zikepulevovufo.pdf
    • https://cdn.shopify.com/s/files/1/0439/2815/8363/files/64408561990.pdf
    • https://cdn.shopify.com/s/files/1/0437/6405/6225/files/33953939184.pdf
    • https://cdn.shopify.com/s/files/1/0433/7988/4195/files/7_11_beyonce_mp3.pdf
    • https://cdn.shopify.com/s/files/1/0431/0892/5600/files/6613118569.pdf
    • https://cdn.shopify.com/s/files/1/0431/3320/6690/files/algebra_and_trigonometry_james_stewart.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000664f.bin
1b3a247e70b63335b429ea8623f246ac995df9e6fb7410e23ab1161955fb610f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x664F 4940 bytes
font_01_sfnt_off0000772a.bin
e59fca487cc275f9cecba9664dc147d36f6ee86c4e9e49dded1742cd25852201		 pdf-font-stream PDF embedded font (sfnt) at offset 0x772A 14600 bytes
font_02_sfnt_off0000a53e.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA53E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.