Malicious PDF — malware analysis report

Static analysis result for SHA-256 48b13e785fac99d1…

MALICIOUS

PDF

39.6 KB Created: 2020-08-22 15:55:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 063d246b84b7f8c33b05d9f9d81179b7 SHA-1: 7163d1975ab170c9061858ae0f8758b04ffd9cac SHA-256: 48b13e785fac99d1c48bc6e28d7566d0ae997bd9a91c52b99791c7f4bf1eb896
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a lure referencing 'aimbot.exe ps4' and embeds multiple links, one of which, https://ttraff.ru/pify?keyword=aimbot.+exe++ps4, is flagged as a malicious redirector. The document also contains a large number of links to Shopify-hosted PDFs, suggesting a link farm for SEO poisoning or traffic generation. The heuristic 'SE_SECRET_RECOVERY_LURE' indicates the document may also attempt to solicit sensitive information, though the primary observed attack vector is the malicious link.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=aimbot.+exe++ps4
    • http://files.bridges2learning.net/uploads/1/3/2/6/132695213/5419900.pdf
    • http://files.globalgymnasticscheer.com/uploads/1/3/1/8/131856306/vokeladon_nevin_fufobi_vuravamefesa.pdf
    • http://files.cascadiannomads.com/uploads/1/3/0/7/130776416/rudegazu.pdf
    • http://files.jacindaaytchillustration.com/uploads/1/3/0/7/130738512/siweterolimaxokiju.pdf
    • https://cdn.shopify.com/s/files/1/0431/1806/7876/files/dmv_ny_road_test.pdf
    • https://cdn.shopify.com/s/files/1/0433/0360/0283/files/64020685491.pdf
    • https://cdn.shopify.com/s/files/1/0434/3663/8360/files/universal_bending_machine.pdf
    • https://cdn.shopify.com/s/files/1/0434/5469/3537/files/28607632918.pdf
    • https://cdn.shopify.com/s/files/1/0434/5020/4327/files/convertible_note_example_template.pdf
    • https://cdn.shopify.com/s/files/1/0437/5727/3237/files/magivasujamofomepeneb.pdf
    • https://cdn.shopify.com/s/files/1/0437/0428/7383/files/fipamimadobeguzavabuga.pdf
    • https://cdn.shopify.com/s/files/1/0436/2849/5001/files/xamazosomisilek.pdf
    • https://cdn.shopify.com/s/files/1/0430/1747/0101/files/girulivuzi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e91.bin
e1a8f9699512f2ff84205f2c1dc90a18b9f63e7da4ed33e45948f106a817d412		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E91 4944 bytes
font_01_sfnt_off00006f60.bin
7056aee6b96802569a183be594470ba7e0d8ff764e8517e3f0f42e590f98b2d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F60 10128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.