Malicious PDF — malware analysis report

Static analysis result for SHA-256 44f305c085de0920…

MALICIOUS

PDF

44.8 KB Created: 2020-08-24 14:47:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82a860de7078a97690e3bee59304cfbd SHA-1: 449fc2057453d28394e272eef0fea045bc6ca8e2 SHA-256: 44f305c085de09204dcf18110f4817542cfdf3c9a27cc2e7d2013f27bbb26e1d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on Shopify. The primary malicious URL, 'https://ttraff.ru/pify?keyword=poster+bodoni+lt+bt+free', is identified as a malicious redirector. This suggests the document is designed to drive traffic to malicious infrastructure, likely for phishing or malware distribution, under the guise of providing free font resources.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=poster+bodoni+lt+bt+free
    • http://files.cellphonerepairorange.com/uploads/1/3/1/4/131406535/d81a2a4b24a1b.pdf
    • http://files.isrcincinnati.com/uploads/1/3/2/6/132681482/6082676.pdf
    • http://files.collingwoodresearch.com/uploads/1/3/0/7/130775310/2303a43db0083.pdf
    • http://files.abruzzoreview.com/uploads/1/3/2/7/132710717/6377005.pdf
    • https://cdn.shopify.com/s/files/1/0444/7014/1095/files/80204421383.pdf
    • https://cdn.shopify.com/s/files/1/0432/6028/0982/files/74305222167.pdf
    • https://cdn.shopify.com/s/files/1/0437/6972/5080/files/bozogobixofuduxovivenesis.pdf
    • https://cdn.shopify.com/s/files/1/0429/9037/0975/files/14658854802.pdf
    • https://cdn.shopify.com/s/files/1/0431/9156/6493/files/50388238263.pdf
    • https://cdn.shopify.com/s/files/1/0429/6183/0037/files/93500368010.pdf
    • https://cdn.shopify.com/s/files/1/0433/1149/7366/files/los_angeles_latitude_and_longitude.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/ferenap.pdf
    • https://cdn.shopify.com/s/files/1/0435/5103/1447/files/nejabibavilaf.pdf
    • https://cdn.shopify.com/s/files/1/0450/4177/8838/files/lemonade_full_album_download_free.pdf
    • https://cdn.shopify.com/s/files/1/0435/9703/7727/files/47916269486.pdf
    • https://cdn.shopify.com/s/files/1/0436/2820/0096/files/balance_score_card.pdf
    • https://cdn.shopify.com/s/files/1/0428/3708/2271/files/6169906767.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000730f.bin
e1dd60b6f3b6dd0e04804438fe35d8bd466a11e43429ee85d994abfef2a6d2f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x730F 4832 bytes
font_01_sfnt_off00008387.bin
699f0f2313a8598754b3e69e41aec35ef3d3d41753fb9575361744a014f1c6c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8387 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.