Malicious PDF — malware analysis report

Static analysis result for SHA-256 46217f54455bfccb…

MALICIOUS

PDF

102.2 KB Created: 2020-08-26 19:44:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e8d58f3bc8870d60127f093a4c88ba7 SHA-1: bf99dd76ab4071d0fed94d8ae612e66023128411 SHA-256: 46217f54455bfccba74e8aac35b83bf768b3d536b324ae7619aca4c4a3f40f9a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One critical heuristic indicates that these links point to known malicious redirector infrastructure, specifically `https://ttraff.ru/pify?keyword=christmas+robin+fire+emblem`. The presence of numerous links, many hosted on Shopify, suggests an attempt to obscure the final malicious destination and potentially leverage benign-looking domains for distribution. No scripts were extracted, but the link farm itself is the primary attack vector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=christmas+robin+fire+emblem
    • http://lawuxad.liveforliteracy.com/uploads/1/3/1/4/131453459/vojikopimivupo.pdf
    • http://vajazir.humblehandsfarm.com/uploads/1/3/0/9/130968921/2128610.pdf
    • http://files.galacticfacets.com/uploads/1/3/0/9/130968994/836226.pdf
    • http://fopisiw.aoerecording.com/uploads/1/3/1/6/131606347/fuwepajawogirujeriv.pdf
    • http://wowopu.staffordengines.com/uploads/1/3/1/4/131483281/1685184c.pdf
    • https://cdn.shopify.com/s/files/1/0448/9651/8299/files/sevuwuzegeto.pdf
    • https://cdn.shopify.com/s/files/1/0431/1311/9905/files/masetudes.pdf
    • https://cdn.shopify.com/s/files/1/0434/0006/9287/files/fikewapebubavedesuna.pdf
    • https://cdn.shopify.com/s/files/1/0432/1922/2687/files/new_bengali_movies_link.pdf
    • https://cdn.shopify.com/s/files/1/0437/0766/2490/files/batman_arkham_city_pc_rar.pdf
    • https://cdn.shopify.com/s/files/1/0433/0812/2270/files/sapuneru.pdf
    • https://cdn.shopify.com/s/files/1/0431/6761/3089/files/daribobanelop.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001314e.bin
8b138d3953009390458e921d6c84917d1252164e0b56e6bf114549dfaa3667ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1314E 4296 bytes
font_01_sfnt_off0001406b.bin
f6606ce69a1a5b3c031992d63e627fc0494f6d5c779074f1a4054ddb60455c5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1406B 5052 bytes
font_02_sfnt_off00015174.bin
99743a251fe539a517f1d172cc2b92292ac67760802fac78eba695ea759a44f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15174 10656 bytes
font_03_sfnt_off000175de.bin
d64bc6380e0eaa1176cac3164d67defa127098331a48f6beb6813acb26cb21ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x175DE 16172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.