Malicious PDF — malware analysis report

Static analysis result for SHA-256 390c11341f519f44…

MALICIOUS

PDF

40.4 KB Created: 2020-08-20 14:33:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 836ea3da4d89af5ce987ebb82769d5d8 SHA-1: 3af6ac4844a489578e7b5152bf6238281aa5aa31 SHA-256: 390c11341f519f44d9e9b8de493442209f8dd97a3e42071eb8f80d64636fc626
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm designed to direct users to a malicious redirector at ttraff.ru. The document body, though heavily obfuscated, contains the target URL and other PDF links, suggesting a social engineering lure. The primary goal appears to be redirecting the user to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=groundwater+flow+modelling+guideline
    • http://files.yogibjewelry.com/uploads/1/3/1/4/131483955/puwitiwisurom-wibofunux.pdf
    • https://cdn.shopify.com/s/files/1/0429/1110/5183/files/axillary_artery.pdf
    • https://cdn.shopify.com/s/files/1/0431/6348/4315/files/79084843160.pdf
    • https://cdn.shopify.com/s/files/1/0454/7182/6072/files/lojugu.pdf
    • https://cdn.shopify.com/s/files/1/0450/1500/7390/files/bhagavad_gita_sanskrit_marathi.pdf
    • https://cdn.shopify.com/s/files/1/0433/3862/9270/files/xemozajorezobu.pdf
    • https://cdn.shopify.com/s/files/1/0429/6186/2810/files/zikadejojukefaruva.pdf
    • https://cdn.shopify.com/s/files/1/0437/2630/7480/files/mowazinekonopos.pdf
    • https://cdn.shopify.com/s/files/1/0439/0692/4712/files/ergonomics_hazards.pdf
    • https://cdn.shopify.com/s/files/1/0428/5346/6271/files/david_klein_organic_chemistry.pdf
    • https://cdn.shopify.com/s/files/1/0439/4817/9611/files/43319119670.pdf
    • https://cdn.shopify.com/s/files/1/0438/6075/4582/files/denebuxinulesafetakimuf.pdf
    • https://cdn.shopify.com/s/files/1/0434/1969/7303/files/insurgency_modern_infantry_combat.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000616c.bin
951ce106a9eef6aaeed9fa35354f48a9af690bc185bd405a6173de05ea0db616		 pdf-font-stream PDF embedded font (sfnt) at offset 0x616C 5172 bytes
font_01_sfnt_off00007309.bin
5d633ed852023a4debb5221adea8cd1ee4d4955b4d21e69b6b47565ecfbba0d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7309 9916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.