Malicious PDF — malware analysis report

Static analysis result for SHA-256 30c6ba60f6fefc95…

MALICIOUS

PDF

68.7 KB Created: 2020-08-04 09:01:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ed7c4c61222a274f4cfdc5d31f9e6d7 SHA-1: 55c074eb74b3993457b353050b9457c8d1549f8a SHA-256: 30c6ba60f6fefc956a4a33a34b869f3e245bf1efb1e6273cdf4e0eaa0b9284a5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, embedding numerous external links. One of these links, 'https://ttraff.ru/wb?keyword=is%20justified%20true%20belief%20knowledge%20gettier%20pdf', is identified as a malicious redirector. The presence of a large number of links, many pointing to Shopify domains, suggests an attempt to obscure the true malicious destination or to leverage SEO tactics for distribution. No scripts were extracted, and the document body was heavily obfuscated, but the heuristic firings strongly indicate a malicious redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=is%20justified%20true%20belief%20knowledge%20gettier%20pdf
    • http://files.emperorscleaners.com/uploads/1/3/1/4/131438348/xudodoziweja.pdf
    • http://files.lindabdesigns.com/uploads/1/3/1/8/131856907/katafemobugapo_gejasibuze.pdf
    • http://files.thegr8tergood.com/uploads/1/3/0/9/130969551/7747013.pdf
    • https://cdn.shopify.com/s/files/1/0429/9459/8047/files/pabul.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xedatojif.pdf
    • https://cdn.shopify.com/s/files/1/0431/3861/3415/files/26869013412.pdf
    • https://cdn.shopify.com/s/files/1/0431/3455/0173/files/velajogipenoveneforoxuj.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/9284441163.pdf?v=1594212706
    • https://cdn.shopify.com/s/files/1/0428/3521/4503/files/arquetipos_hlio_couto.pdf
    • https://cdn.shopify.com/s/files/1/0430/0318/3258/files/81275388083.pdf
    • https://cdn.shopify.com/s/files/1/0431/6610/5759/files/pefevevidomutuj.pdf
    • https://cdn.shopify.com/s/files/1/0432/8099/0366/files/zigolivemokabe.pdf
    • https://cdn.shopify.com/s/files/1/0437/8191/4781/files/32333111162.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/26443777516.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce2e.bin
9c8e1430c92956051a16facf542c78903dfd08a43283edc49c04e705d81a556b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE2E 5308 bytes
font_01_sfnt_off0000e05f.bin
66c7fd067cd5d5ba497149fcb9c2204d9bc93931f72f887310946a797e46e006		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE05F 10940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.