Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d164d3a73b86a68…

MALICIOUS

PDF

38.2 KB Created: 2020-08-22 13:16:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bef818c832642e289eda3e44ef36c0b5 SHA-1: 3f0957bed7b2f7d5315df14b8f131d98aba7c5f7 SHA-256: 2d164d3a73b86a68030690bed7ddc4a2c6c057663ecdb135b61cb9570fab238a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link to 'ttraff.ru', identified as a malicious redirector, which is part of a link farm strategy. The document body, though heavily corrupted, contains text suggesting a lure for downloading 'bejeweled 3 gratuit android'. The presence of numerous external PDF links, many hosted on Shopify, further supports the SEO link farm heuristic. The primary malicious URL is https://ttraff.ru/pify?keyword=telecharger+bejeweled+3+gratuit+android, which likely leads to further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=telecharger+bejeweled+3+gratuit+android
    • http://files.hillsborofire.org/uploads/1/3/0/7/130776254/talavuteruz_tujudegovasok_loget_fuxidelige.pdf
    • https://cdn.shopify.com/s/files/1/0439/1141/3912/files/78895103101.pdf
    • https://cdn.shopify.com/s/files/1/0431/8858/4605/files/24610949908.pdf
    • https://cdn.shopify.com/s/files/1/0430/4207/8877/files/zavimufuduvaturabaxidowi.pdf
    • https://cdn.shopify.com/s/files/1/0429/8961/7311/files/ansys_act_acoustics_extension_free.pdf
    • https://cdn.shopify.com/s/files/1/0434/8729/7696/files/dimefenotino.pdf
    • https://cdn.shopify.com/s/files/1/0434/1799/3366/files/30713301859.pdf
    • https://cdn.shopify.com/s/files/1/0439/3422/0456/files/dosabomuvolexet.pdf
    • https://cdn.shopify.com/s/files/1/0433/2106/5640/files/decocraft_2_1._7_10.pdf
    • https://cdn.shopify.com/s/files/1/0433/8620/8406/files/camera_360_android.pdf
    • https://cdn.shopify.com/s/files/1/0433/0346/9221/files/latumimofujutotiteme.pdf
    • https://cdn.shopify.com/s/files/1/0432/6254/1982/files/45129099098.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054c1.bin
f406e619b7a4e89ecd6e17307b89d0311bf30affc3923bd8c3353a33dc72c1c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54C1 5444 bytes
font_01_sfnt_off00006752.bin
7a0668049f8c074aa4f562b4fb098bf612f38976d129fc5ee33ff86d4b8d1be4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6752 10852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.