Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d8e16b949e57125…

MALICIOUS

PDF

39.2 KB Created: 2020-08-23 10:15:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ddad9fe33482d060a1cef5a8fa007ed1 SHA-1: 8ce20f5f1a71b2b9c9dd78e8abb6ba8055330ef4 SHA-256: 3d8e16b949e571250964f6e53a000d44897e4d779b0c6a89f6c1f219b001799d
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to PDF files hosted on Shopify. One of these links, 'https://ttraff.ru/pify?keyword=aoe+1+b%25E1%25BA%25A3n+chu%25E1%25BA%25A9n', is identified as a malicious redirector. The presence of a "download button" heuristic suggests a lure to entice users to click these links. The file's structure and the nature of the links indicate a link farm or SEO poisoning attack designed to redirect users to malicious infrastructure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=aoe+1+b%25E1%25BA%25A3n+chu%25E1%25BA%25A9n
    • http://xakedev.saxonknight.com/uploads/1/3/1/0/131071057/bonobavesabeveralo.pdf
    • http://jisovazef.amandabarnaby.com/uploads/1/3/1/8/131856959/4008111.pdf
    • http://fowix.tallentfineart.com/uploads/1/3/1/4/131454106/besasoxiwovukudubab.pdf
    • https://cdn.shopify.com/s/files/1/0434/6452/3926/files/91368691011.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/30899714004.pdf
    • https://cdn.shopify.com/s/files/1/0430/3355/9203/files/68595513961.pdf
    • https://cdn.shopify.com/s/files/1/0433/9033/7174/files/16271608906.pdf
    • https://cdn.shopify.com/s/files/1/0432/5395/6766/files/ansoff_growth_matrix_template.pdf
    • https://cdn.shopify.com/s/files/1/0446/5927/7987/files/algebra_1_regents_august_2015_answers_jmap.pdf
    • https://cdn.shopify.com/s/files/1/0461/8456/2851/files/3334220873.pdf
    • https://cdn.shopify.com/s/files/1/0449/5494/3643/files/kulepusomegow.pdf
    • https://cdn.shopify.com/s/files/1/0428/4294/7750/files/xigisagol.pdf
    • https://cdn.shopify.com/s/files/1/0434/8307/0629/files/54099847421.pdf
    • https://cdn.shopify.com/s/files/1/0432/3541/0077/files/65399200312.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a30.bin
c0571439f31cb05adc74a8945810f18b5097d86a3d8d83c0fdb1675150817a16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A30 5116 bytes
font_01_sfnt_off00006b0c.bin
761fa68825a376d566c8ea59e6031845bc27185e3034dfdefcaf8ae1de359760		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B0C 10804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.