Malicious PDF — malware analysis report

Static analysis result for SHA-256 3238a3adb5a2513f…

MALICIOUS

PDF

45.9 KB Created: 2020-08-24 04:16:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61f3fd1d3192d85f6cb7c583a8b67a83 SHA-1: 9e09fc07f12857cdee7aeb10d91128d945d4148c SHA-256: 3238a3adb5a2513f29bee4e8f2f84fdeeaa09c7bf0bee2303818521833cb633d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, with one pointing to a known malicious redirector. The heuristic firings indicate that this PDF is part of a link farm, likely intended for SEO poisoning or to distribute malicious content. The primary malicious URL identified is https://ttraff.ru/pify?keyword=alfresco+war+file.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=alfresco+war+file
    • http://files.refracted.net/uploads/1/3/1/8/131871648/8104995.pdf
    • http://files.yogaforgrownups.com/uploads/1/3/0/7/130775725/2928577.pdf
    • https://cdn.shopify.com/s/files/1/0433/8375/0821/files/pakovikuxasuxiduru.pdf
    • https://cdn.shopify.com/s/files/1/0438/2579/1138/files/k-_on_episode_1_kissanime.pdf
    • https://cdn.shopify.com/s/files/1/0430/7176/6681/files/kirexijasam.pdf
    • https://cdn.shopify.com/s/files/1/0429/9656/4131/files/85513486559.pdf
    • https://cdn.shopify.com/s/files/1/0429/2712/8735/files/brawlhalla_cross_platform_switch.pdf
    • https://cdn.shopify.com/s/files/1/0429/9459/8047/files/mutaxadupetivogafewexig.pdf
    • https://cdn.shopify.com/s/files/1/0432/2174/5825/files/pidosojuxa.pdf
    • https://cdn.shopify.com/s/files/1/0431/7403/5607/files/39018083727.pdf
    • https://cdn.shopify.com/s/files/1/0436/9776/6553/files/97146873863.pdf
    • https://cdn.shopify.com/s/files/1/0435/4218/4095/files/spelling_words_for_grade_3.pdf
    • https://cdn.shopify.com/s/files/1/0431/4021/9034/files/vakosu.pdf
    • https://cdn.shopify.com/s/files/1/0439/9611/9198/files/automobile_companies_in_chennai.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f74.bin
05739d0fe5a0152c1fd9e66f171a3e0882d3b929cc699bfd217f3d48628d7f5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F74 4956 bytes
font_01_sfnt_off0000806b.bin
edf60f47a67bf72b2663d3a5b8ad55e55143be375e5711e1cc4c4e28065d2e33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x806B 13328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.