Malicious PDF — malware analysis report

Static analysis result for SHA-256 369c300505b687c2…

MALICIOUS

PDF

44.7 KB Created: 2020-07-31 07:03:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 595697cbcdc6e68c55f8d09d81c4066e SHA-1: 40a044ee6b40516a6a20da510bdc9e5390ed2ecb SHA-256: 369c300505b687c2232ad2ca95e9dc51ebaca1547570cc25f98b492abdbc6165
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, identified as a link farm. One of the primary links, 'https://ttraff.ru/pify?keyword=seated+core+exercises+pdf', is flagged as a malicious redirector. The document body, though heavily obfuscated, suggests a lure related to 'seated core exercises pdf'. The presence of a link farm and a malicious redirector indicates an attempt to lead the user to harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=seated+core+exercises+pdf
    • http://files.speededocs.com/uploads/1/3/0/7/130739810/4598273.pdf
    • http://files.heatherseagraves.com/uploads/1/3/1/1/131164442/8855371.pdf
    • http://files.friendsoftheanacorteslibrary.org/uploads/1/3/2/3/132303013/3009808.pdf
    • http://files.lawpoa.com/uploads/1/3/0/8/130873769/1660504.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bamizubonofosexewa.pdf
    • https://cdn.shopify.com/s/files/1/0435/9867/6131/files/xexune.pdf
    • https://cdn.shopify.com/s/files/1/0430/2887/3367/files/30557769180.pdf
    • https://cdn.shopify.com/s/files/1/0431/0512/4516/files/10473407175.pdf
    • https://cdn.shopify.com/s/files/1/0433/7883/5606/files/newonuxegagajugeranuxeb.pdf
    • https://cdn.shopify.com/s/files/1/0430/5171/2666/files/xejokomomi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0379/6894/files/96412766678.pdf
    • https://cdn.shopify.com/s/files/1/0428/4655/2227/files/91750680180.pdf
    • https://cdn.shopify.com/s/files/1/0433/9056/6556/files/mevimas.pdf
    • https://cdn.shopify.com/s/files/1/0427/5847/1846/files/nuwalofekavabugera.pdf
    • https://cdn.shopify.com/s/files/1/0433/0923/6374/files/rafotevilavebin.pdf
    • https://cdn.shopify.com/s/files/1/0427/8052/4710/files/gabazakirejuserutewokan.pdf
    • https://cdn.shopify.com/s/files/1/0431/8475/0747/files/51267364831.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072b7.bin
efca9960279d2fd9f4ecdad9517ffb6569c1c23a6cb27880a5891d2068784cbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72B7 4968 bytes
font_01_sfnt_off000083ad.bin
3566e459d8c4b50339d810b0fc442faa5f97204f18d49ab2643a7bd24a0dc7b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83AD 9916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.