Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d5e38be231ea4be…

MALICIOUS

PDF

36.6 KB Created: 2020-08-06 20:49:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 70eae44937f52ce3ef1834c23349349c SHA-1: 7e3b89867f0884a9ad610db2c498088fd06cb77a SHA-256: 3d5e38be231ea4bef7398b81a0a3ffeb138997c6bd8b1d58a3f2f41272c318cb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link points to a URL that appears to be part of a link farm designed to distribute PDF files, likely for malicious purposes. The primary malicious URL is https://ttraff.ru/pify?keyword=head+first+design+patterns+book+pdf+free+download, which is presented as a download link for a book. The file also contains numerous other links to PDF files hosted on Shopify, suggesting a coordinated effort to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=head+first+design+patterns+book+pdf+free+download
    • http://files.brilliantbookclubs.com/uploads/1/3/1/4/131453843/tulupux_lagijov.pdf
    • http://files.wellspringnazarene.com/uploads/1/3/0/7/130776131/wases_dugijo_josatemo_barexuxorumig.pdf
    • http://files.nbhaky03.com/uploads/1/3/1/4/131453598/9614431.pdf
    • http://files.withthisringitheewed.com/uploads/1/3/1/1/131163705/fe8289.pdf
    • https://cdn.shopify.com/s/files/1/0429/5278/6074/files/gadejikaguteka.pdf
    • https://cdn.shopify.com/s/files/1/0428/3842/5767/files/90060830810.pdf
    • https://cdn.shopify.com/s/files/1/0436/1748/4957/files/ciencias_ambientales_uam.pdf
    • https://cdn.shopify.com/s/files/1/0435/8209/5517/files/73653538149.pdf
    • https://cdn.shopify.com/s/files/1/0435/5260/4319/files/54086308745.pdf
    • https://cdn.shopify.com/s/files/1/0435/4870/4920/files/rigilaze.pdf
    • https://cdn.shopify.com/s/files/1/0435/9415/4146/files/19045644443.pdf
    • https://cdn.shopify.com/s/files/1/0428/8030/3270/files/vadewuzavujaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/9378/6791/files/96864040184.pdf
    • https://cdn.shopify.com/s/files/1/0438/3621/1362/files/gugibawowivurijawedasu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e85.bin
72977e750e5a75f0fa485d624a11eb43daa1f7d0a57beace92834f938197adff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E85 5464 bytes
font_01_sfnt_off00006137.bin
fe2d481881c498d96ce141f01f44e9b30fcb9fbc854ba788f00d064276a64fdf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6137 10540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.