Malicious PDF — malware analysis report

Static analysis result for SHA-256 3621b7bb68e0c0a2…

MALICIOUS

PDF

43.9 KB Created: 2020-08-20 00:55:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4135f1e5e1a198cf4aad705be2c9760d SHA-1: 6d1cb77a7ccee8fd5d45e967334dc9704328317e SHA-256: 3621b7bb68e0c0a2bc5b87c82090231c54b6832b9eb621f90e801e507915ba75
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=java+32+bit++windows+10+oracle'. This URL is part of a link farm, suggesting a phishing or social engineering attempt to trick users into downloading potentially malicious content by disguising it as a legitimate software update. The document body contains garbled text but also includes the same URL, reinforcing the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=java+32+bit++windows+10+oracle
    • http://files.tomorrows-heirlooms.co.uk/uploads/1/3/1/3/131398322/deropewo.pdf
    • http://files.avatarborzoi.com/uploads/1/3/1/3/131379181/98817fcde8.pdf
    • http://files.bluevinesolutions.com/uploads/1/3/0/7/130776272/magisokojasu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9665/4489/files/pdf_electrical_engineering_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0430/2451/5229/files/58163924859.pdf
    • https://cdn.shopify.com/s/files/1/0434/1995/9454/files/40720420003.pdf
    • https://cdn.shopify.com/s/files/1/0434/5364/4966/files/43465631176.pdf
    • https://cdn.shopify.com/s/files/1/0431/4290/6007/files/koguxo.pdf
    • https://cdn.shopify.com/s/files/1/0436/4494/4542/files/steel_dragon_task_guide_osrs.pdf
    • https://cdn.shopify.com/s/files/1/0434/1301/2630/files/66661295604.pdf
    • https://cdn.shopify.com/s/files/1/0430/7091/4717/files/bebuluboforesotarita.pdf
    • https://cdn.shopify.com/s/files/1/0435/4847/5541/files/exception_handling_javatpoint.pdf
    • https://cdn.shopify.com/s/files/1/0427/8091/7926/files/57552864637.pdf
    • https://cdn.shopify.com/s/files/1/0434/3260/7900/files/23307922199.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006628.bin
fe01f1ee02123e59ea81de8d487cffce0c24533c5759cdda4bad26256b9cf5fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6628 5704 bytes
font_01_sfnt_off000079a9.bin
4bb36700cb7eaf2fa3c50de7296c8ba0a824efd25c34fb74416a98f369a0cd6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79A9 12636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.