Malicious PDF — malware analysis report

Static analysis result for SHA-256 41f6e4980d854b1d…

MALICIOUS

PDF

46.2 KB Created: 2020-08-16 13:54:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d104d9dd20ccb29f03fc4a795836d251 SHA-1: daa284aa73c2250450be631b570c87e199cc4715 SHA-256: 41f6e4980d854b1da3a07c295d471c0960fe3cecd9b0425f043f3b0f83e10205
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains multiple heuristics indicating it is designed as a lure, specifically a fake CAPTCHA prompt. It embeds numerous links, many pointing to what appears to be a link farm hosted on Shopify, but also includes a critical link to malicious redirector infrastructure at `https://ttraff.ru/pify?keyword=captcha+solver+software+free`. This suggests the primary goal is to redirect users to malicious sites under the guise of solving a CAPTCHA.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Invisible PDF links to CAPTCHA-themed web lure high PDF_CAPTCHA_LINK_LURE
    PDF contains invisible clickable link annotations that point to a CAPTCHA/capcha-themed web path. This is a common phishing and ClickFix-style routing pattern: the PDF itself is inert, while the linked page performs the credential prompt or fake verification.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=captcha+solver+software+free
    • http://repak.pdcopportunitycenter.org/uploads/1/3/2/8/132814930/7616677.pdf
    • http://files.sarahconnatser.com/uploads/1/3/2/6/132682745/tavusokenapoxix.pdf
    • http://files.palmcoastflautorepair.com/uploads/1/3/2/8/132815054/kuxepetaji-rafojuxefozur-powinuvof-fasagokofefu.pdf
    • https://cdn.shopify.com/s/files/1/0448/0407/9777/files/neuralgia_de_arnold.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/53635556436.pdf
    • https://cdn.shopify.com/s/files/1/0428/5012/3943/files/laputegenukajinif.pdf
    • https://cdn.shopify.com/s/files/1/0439/2864/9896/files/37010769011.pdf
    • https://cdn.shopify.com/s/files/1/0429/5042/6787/files/sentence_or_fragment_worksheet_grade_3.pdf
    • https://cdn.shopify.com/s/files/1/0433/9017/3349/files/little_krishna_flute_ringtone_zedge.pdf
    • https://cdn.shopify.com/s/files/1/0435/9133/6099/files/java_programming_tutorial_book.pdf
    • https://cdn.shopify.com/s/files/1/0433/4354/4488/files/makalah_dampak_merokok.pdf
    • https://cdn.shopify.com/s/files/1/0435/8239/0435/files/31725296568.pdf
    • https://cdn.shopify.com/s/files/1/0428/8076/2023/files/wogirepafefulexete.pdf
    • https://cdn.shopify.com/s/files/1/0450/7366/2115/files/hastings_point_tide_guide.pdf
    • https://cdn.shopify.com/s/files/1/0434/9529/3094/files/causes_of_pneumonia.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ce4.bin
d45c701cf2bd9d87a51ebd8ea34bb2d51de07de5ecbd926bb672f3edfb3005f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CE4 5160 bytes
font_01_sfnt_off00007e82.bin
4d46dbc584da4d321197d93ce8276470834dee6b837fad0726774560d61a6a66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E82 10976 bytes
font_02_sfnt_off0000a3f6.bin
5f7498f8e433e4c6c47e8ca53e78f46c92ad2660f1d70c8a76bf58ffa4fc47b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3F6 1740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.