Malicious PDF — malware analysis report

Static analysis result for SHA-256 41e6e705f1ce33b3…

MALICIOUS

PDF

40.8 KB Created: 2020-09-01 11:37:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d6c530fe7f245e06cdcaf11b472b864 SHA-1: b50ef8d215f52e6a4730255e73a7a81879db61e2 SHA-256: 41e6e705f1ce33b394e5d330bb7bb6deb29f01ff4ed8b570ffc0d4970ee7e6c6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to SEO-optimized PDF files hosted on Shopify. One critical heuristic firing indicates that the document links to a known malicious redirector at 'ttraff.ru'. This suggests a phishing or scam attempt designed to lead users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=contemplate+synonym+8+letters
    • https://cdn.shopify.com/s/files/1/0433/0310/8768/files/atlantic_broadband_tv_guide_uniontown_pa.pdf
    • https://cdn.shopify.com/s/files/1/0454/3139/0364/files/porodixuku.pdf
    • https://cdn.shopify.com/s/files/1/0428/1873/2191/files/72026173848.pdf
    • https://cdn.shopify.com/s/files/1/0439/8628/8798/files/css_uppercase_text.pdf
    • https://cdn.shopify.com/s/files/1/0463/0183/9517/files/contemplate_meaning_antonym.pdf
    • https://cdn.shopify.com/s/files/1/0431/2684/9700/files/i_can_t_fight_this_feeling_anymore_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0431/4424/9499/files/koresotade.pdf
    • https://cdn.shopify.com/s/files/1/0433/6100/9829/files/53895311498.pdf
    • https://static.usrfiles.com/ugd/b8c837_39d101f5df8f412494bf6d202484333c.pdf
    • https://static.usrfiles.com/ugd/77d535_6a2ccd7b29d64b6eb9169144b54ecbce.pdf
    • https://static.usrfiles.com/ugd/86319b_58f532ccfc114f92a4f269e12265a9f6.pdf
    • https://static.usrfiles.com/ugd/7a11b0_46e16c5d88fe4cbd84101dba1e16744d.pdf
    • https://static.usrfiles.com/ugd/19ce5d_f5547f06c71a4e8a9f2b5af22ada21b6.pdf
    • https://static.usrfiles.com/ugd/95089d_05804a3eadce4978b16241f689db5fb1.pdf
    • https://static.usrfiles.com/ugd/b8c837_78649abb3d80431f8a9bf0224a081a4f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060d8.bin
8f3b941829b4c0467cd8bf3633f06063ef88bef3bdb7c08ff7abebcb621a2980		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60D8 5164 bytes
font_01_sfnt_off0000724c.bin
200c510493f9fda52498f694f4e6dabdebdef38210db802f8a3fcf8615793c19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x724C 10648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.