Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ce07516d3699836…

MALICIOUS

PDF

55.7 KB Created: 2020-08-31 12:05:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8bc0f1c939ba0e9ced9199318fa8ee9b SHA-1: a806f14a3c93692341e0981883cbb952e55a2b7d SHA-256: 2ce07516d3699836f8a3e1cd2df661735b07d0135c2117c5e3ca57a9c97bce00
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/wix?keyword=rogue+build+guide+5e'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on cdn.shopify.com. The document body contains the malicious URL and appears to be a lure related to a 'rogue build guide'. The primary attack pattern involves luring the user to click the malicious redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=rogue+build+guide+5e
    • https://cdn.shopify.com/s/files/1/0433/9928/2845/files/persona_3_old_document.pdf
    • https://cdn.shopify.com/s/files/1/0427/6820/3942/files/ritobokuraxifexumenajubej.pdf
    • https://cdn.shopify.com/s/files/1/0432/1227/5870/files/fastest_car_in_gta_4_cheat_code_xbox_360.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mejamuzeditika.pdf
    • https://cdn.shopify.com/s/files/1/0439/1947/4856/files/80906194527.pdf
    • https://cdn.shopify.com/s/files/1/0431/4634/6658/files/notinenumupu.pdf
    • https://cdn.shopify.com/s/files/1/0431/9982/4032/files/application_form_template_for_employment.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/benubojebexoreloruva.pdf
    • https://cdn.shopify.com/s/files/1/0429/2293/4435/files/escambia_county_biology_eoc.pdf
    • https://static.usrfiles.com/ugd/b8c837_6696f1346f22413383b16c2a7a2f1f91.pdf
    • https://static.usrfiles.com/ugd/b8c837_c8720849d8cc43cc9628223bf32455db.pdf
    • https://static.usrfiles.com/ugd/2e16aa_5989f20c16c14a1ea5548a1264ca4b55.pdf
    • https://static.usrfiles.com/ugd/b8c837_fcc0cc1e0227497490770403dbc9ede9.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5cb405eec374da292893a431cdc0498.pdf
    • https://static.usrfiles.com/ugd/76156b_e1b9613234594a0d89685be6665cd836.pdf
    • https://static.usrfiles.com/ugd/b8c837_a77fcee47bbc407a82ad57eb7e063926.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009945.bin
e47f968b8cf4c7227774f85b9581e8b7c51864a88e72065557176c7449b0d29b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9945 4780 bytes
font_01_sfnt_off0000a9a3.bin
a469e8e77bda8070c4472d63b099ff5b3601a5975b4ae02295b5686f6c99db44		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA9A3 12736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.