Malicious PDF — malware analysis report

Static analysis result for SHA-256 381b0bc4210a0b22…

MALICIOUS

PDF

45.7 KB Created: 2020-08-30 15:46:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c7e187d63309d5c9d243e09590b88a2 SHA-1: ca73493ea3c1b29f6b79e94c8a40be63bc7e84e3 SHA-256: 381b0bc4210a0b2289087b33555b2c609c392fd6b4246d5025b96e61f83ee44c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used for SEO poisoning or to direct users to malicious sites. One of the primary URLs, 'https://ttraff.ru/wix?keyword=maysville+road+veto+apush', is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL and other Shopify links, reinforcing the link farm nature of the document. The presence of a malicious redirector suggests an attempt to lead the user to a site that hosts further malware or phishing content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=maysville+road+veto+apush
    • https://cdn.shopify.com/s/files/1/0432/6857/1294/files/2527742589.pdf
    • https://cdn.shopify.com/s/files/1/0431/2665/3090/files/bsc_physics_syllabus_burdwan_university.pdf
    • https://cdn.shopify.com/s/files/1/0430/4997/5961/files/xowoxu.pdf
    • https://cdn.shopify.com/s/files/1/0463/1042/4733/files/wudinobutetupowe.pdf
    • https://cdn.shopify.com/s/files/1/0434/1760/0165/files/zibapabizewubitisirog.pdf
    • https://cdn.shopify.com/s/files/1/0427/9340/2524/files/fodala.pdf
    • https://cdn.shopify.com/s/files/1/0435/4598/5179/files/crx_h22_swap.pdf
    • https://cdn.shopify.com/s/files/1/0435/8216/1053/files/windows_7_host_file_edit.pdf
    • https://cdn.shopify.com/s/files/1/0432/8570/8953/files/fadudupekex.pdf
    • https://cdn.shopify.com/s/files/1/0435/5309/5844/files/8907973782.pdf
    • https://static.usrfiles.com/ugd/b8c837_849ea72b66b94d2296ea6375bc26e85b.pdf
    • https://static.usrfiles.com/ugd/ae059d_3694d5ae8b0f484bbfb99e0138d2659d.pdf
    • https://static.usrfiles.com/ugd/b8c837_0cb7a68ba40f40898af76c2d6bd1c429.pdf
    • https://static.usrfiles.com/ugd/4b68be_861b2cf67c934478a688bf925269ec25.pdf
    • https://static.usrfiles.com/ugd/79e0dc_1de74150fae544a6b737ca965750ca8f.pdf
    • https://static.usrfiles.com/ugd/1b8612_4f7a6523bda84ac18a8d0163f86d564b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007425.bin
4535b11228dbf23bb9da23b82c1ce5aac811a46946dfad2d0502e49a4473e5a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7425 5212 bytes
font_01_sfnt_off000085e2.bin
5f2196c396ea712c6eaec68f81025e27694526f1308747efd876b4c6b870c3b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85E2 10536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.