Malicious PDF — malware analysis report

Static analysis result for SHA-256 309498ec9d4ae5d5…

MALICIOUS

PDF

36.2 KB Created: 2020-08-19 05:07:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 87ce60259d75936d9e2249eefe3ea53a SHA-1: b10c1a471642196b3bbbf4341ae69c8034937dda SHA-256: 309498ec9d4ae5d55c49faf9fda5ac95b9dd6fa746f2a396a3def52da795e92b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, with one heuristic specifically identifying it as a PDF link farm. One of these links, 'https://ttraff.ru/pify?keyword=fire+texture+sheet', is flagged as pointing to known malicious redirector infrastructure. The document body itself is heavily obfuscated and contains garbled text, but the embedded URLs are clearly visible. The primary attack pattern appears to be SEO manipulation or directing users to malicious content via a link farm.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=fire+texture+sheet
    • http://files.artshotz.com/uploads/1/3/1/8/131856041/99585531.pdf
    • https://cdn.shopify.com/s/files/1/0428/9029/7507/files/70339231508.pdf
    • https://cdn.shopify.com/s/files/1/0431/7921/2959/files/tutuzafimebajapovi.pdf
    • https://cdn.shopify.com/s/files/1/0433/2666/8952/files/89915343991.pdf
    • https://cdn.shopify.com/s/files/1/0427/5650/5756/files/kiwetejusepovenudu.pdf
    • https://cdn.shopify.com/s/files/1/0437/2047/4779/files/user_stories_applied_for_agile_software_development_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/0857/3088/files/alkane_nomenclature_practice.pdf
    • https://cdn.shopify.com/s/files/1/0434/7199/5033/files/mathematical_analysis_for_economists_allen.pdf
    • https://cdn.shopify.com/s/files/1/0437/3846/4405/files/blockchain_technology_for_enhancing_supply_chain_resilience.pdf
    • https://cdn.shopify.com/s/files/1/0430/8280/9508/files/nicorette_gum_user_guide.pdf
    • https://cdn.shopify.com/s/files/1/0438/1723/8685/files/18332876977.pdf
    • https://cdn.shopify.com/s/files/1/0431/0364/9954/files/kazuriwikaxofijimutadem.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000050bc.bin
87a8d3c19651312bafcccd13824cdfcdb581160126651eca4752f0dc08a575df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50BC 4556 bytes
font_01_sfnt_off00006035.bin
ed1c87ec3965b6fe1ffd378bc3908de48d7d014e6d228b8ac9ccba037b5e49e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6035 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.