Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f1a8b89706583af…

MALICIOUS

PDF

47.9 KB Created: 2020-07-12 21:08:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64825b719bde516122f78f5ac0304a62 SHA-1: d9623812d4139f57c659a6d45134704753b8faf8 SHA-256: 3f1a8b89706583affbfaf11deb0204449b0bec0a99119c7145f7f55899ee23d3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified as a PDF SEO link farm. One of these links, 'https://ttraff.ru/wb?keyword=define%20indirect%20tax%20pdf', points to known malicious redirector infrastructure. The document body is heavily obfuscated, preventing analysis of its specific content, but the presence of numerous links strongly suggests a phishing or redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=define%20indirect%20tax%20pdf
    • http://files.programsformindfulliving.org/uploads/1/3/0/7/130775009/giwinodumosowemi.pdf
    • http://files.morstargar.com/uploads/1/3/2/6/132696335/puruve.pdf
    • http://files.rosies-apothecary.com/uploads/1/3/2/7/132741064/e8a946b4.pdf
    • http://files.lottiecreates.co.uk/uploads/1/3/0/7/130739107/100046.pdf
    • https://buwosesem.files.wordpress.com/2020/07/18282458040.pdf
    • https://megazotawulo183772260.files.wordpress.com/2020/07/58764163101.pdf
    • https://kusujeseb640712054.files.wordpress.com/2020/07/26823845426.pdf
    • https://jogapodu.files.wordpress.com/2020/07/jibijikeresifeloximazomir.pdf
    • https://deriwekula.files.wordpress.com/2020/06/nibuwafoku.pdf
    • https://mijukuwojaw.files.wordpress.com/2020/06/dametidabaxifiretumise.pdf
    • https://rafopez.files.wordpress.com/2020/07/77112494495.pdf
    • https://xevugonabaw.files.wordpress.com/2020/06/zusuzokedomelutit.pdf
    • https://cdn.shopify.com/s/files/1/0429/9263/1962/files/ruvajogeri.pdf
    • https://cdn.shopify.com/s/files/1/0428/0070/9791/files/tagagaxileluxuvogesetulan.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/76957488457.pdf
    • https://cdn.shopify.com/s/files/1/0428/0002/1667/files/nezazabiminogurodit.pdf
    • https://cdn.shopify.com/s/files/1/0433/5904/3749/files/nituxipiwinoj.pdf
    • https://cdn.shopify.com/s/files/1/0431/0840/1316/files/siwesajanowunuxax.pdf
    • https://cdn.shopify.com/s/files/1/0429/5560/4121/files/sizazudelugo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007cc9.bin
9ef5f96a559cb479af32a651868a365e34f2dace702aff01021e51242ea0aec0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CC9 4684 bytes
font_01_sfnt_off00008cbe.bin
d176bfc1ec3969adab97854a65d784cbe16a52508db62408b5ed80219256b90f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CBE 11216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.