Malicious PDF — malware analysis report

Static analysis result for SHA-256 48b06517a26c68ab…

MALICIOUS

PDF

62.5 KB Created: 2020-08-19 07:30:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5dc7c69137855d98d027087ec5b316f3 SHA-1: 050d750e34770ab42982c37661990d730a366f03 SHA-256: 48b06517a26c68ab0d605b66c75ed079265bd83fd81bd1776e1bcf34284e19c7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to `https://ttraff.ru/pify?keyword=arangetram+full+movie`. It also exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on Shopify. The document body, though partially corrupted, contains the same movie lure and the malicious redirector URL, suggesting the primary intent is to trick users into visiting the malicious site. No scripts were extracted, limiting the analysis of further stages.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=arangetram+full+movie
    • http://junimolex.thebeanfarm-iowa.com/uploads/1/3/1/3/131380594/tezasepatuxa_lizugibabeji_jezuzebi.pdf
    • http://files.springfieldfoodpolicycouncil.org/uploads/1/3/2/7/132740905/1642079.pdf
    • http://gitozake.reneesgourmetpizzeria.com/uploads/1/3/1/0/131070006/rikik.pdf
    • http://files.pipsqatar.com/uploads/1/3/1/4/131453061/0ec1b.pdf
    • http://files.haleycloud.com/uploads/1/3/1/0/131069886/xobuwemex_dawaloxo_wanowupeji_lirodetilu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3264/9636/files/pusijokipi.pdf
    • https://cdn.shopify.com/s/files/1/0428/2207/4534/files/6377913561.pdf
    • https://cdn.shopify.com/s/files/1/0431/4556/0225/files/zadujedelugafip.pdf
    • https://cdn.shopify.com/s/files/1/0435/6076/3555/files/sudolevobaroduro.pdf
    • https://cdn.shopify.com/s/files/1/0433/5026/1911/files/viwupowubuxatesolobepa.pdf
    • https://cdn.shopify.com/s/files/1/0437/9358/0189/files/28180780468.pdf
    • https://cdn.shopify.com/s/files/1/0433/5622/5688/files/88411206807.pdf
    • https://cdn.shopify.com/s/files/1/0428/0057/8723/files/chronicle_of_a_death_foretold_full_text.pdf
    • https://cdn.shopify.com/s/files/1/0428/7594/5113/files/cambodian_phrases.pdf
    • https://cdn.shopify.com/s/files/1/0430/6753/9623/files/dosipuxubuviridu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cef.bin
b53c0d2a90d409a9535e2dbafcbab7c54503b7f7e94a3d0ac8f342fd6bcfb8a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CEF 4956 bytes
font_01_sfnt_off00007dbc.bin
0e5fabf28d112f3243b3c8e80fe3d98243685f1b86183b8c8678b3b309edc110		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DBC 5456 bytes
font_02_sfnt_off00009016.bin
a939b186693897b8aeda1a96e435761aa1ad17feea9c0571552e59f988b6c915		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9016 2632 bytes
font_03_sfnt_off00009bd0.bin
a20fb0f2ed74be25865183fc5b68d30cdea6632fa417589aa06903954b47857b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BD0 6112 bytes
font_04_sfnt_off0000b155.bin
0ed7604c9d98a2a5477af195032af495ff02b35dcc6cf767cb0595fb907de625		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB155 10824 bytes
font_05_sfnt_off0000d659.bin
ed45a24507f18daeaf6b6e9cac20235e9e43bed88bc2d44b7621eff085e31190		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD659 16344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.