Malicious PDF — malware analysis report

Static analysis result for SHA-256 49095fb90a14c11f…

MALICIOUS

PDF

42.3 KB Created: 2020-08-30 18:24:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 42288786d95376daa57397e05bad9a25 SHA-1: 28f635d66be2b45af8f53bc5347844bb42847eb2 SHA-256: 49095fb90a14c11f2db8561271f2f162f654662574a4d288054209c40d7eb339
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.ru, which is disguised as a search result for educational content. This indicates a phishing or social engineering attempt to direct the user to malicious infrastructure. The presence of numerous other PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to increase visibility. No scripts were extracted, and the document body is heavily obfuscated, but the primary malicious activity appears to be the redirection via the embedded URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=nelson+grade+9+science+textbook+answers
    • https://cdn.shopify.com/s/files/1/0439/4074/1275/files/54786434804.pdf
    • https://cdn.shopify.com/s/files/1/0433/0346/9221/files/razumeweniveke.pdf
    • https://cdn.shopify.com/s/files/1/0434/6626/0642/files/diseases_of_small_grain_cereal_crops_a_colour_handbook.pdf
    • https://cdn.shopify.com/s/files/1/0430/3070/8385/files/17272590644.pdf
    • https://cdn.shopify.com/s/files/1/0433/5930/5880/files/cashflow_101_game_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0439/7583/5806/files/sequence_of_tenses.pdf
    • https://cdn.shopify.com/s/files/1/0430/3123/2674/files/bk_nets_bleacher_report.pdf
    • https://cdn.shopify.com/s/files/1/0432/7338/8190/files/20617137016.pdf
    • https://static.usrfiles.com/ugd/b8c837_8b8c85c6f2464e0cb13a4b2e31facaea.pdf
    • https://static.usrfiles.com/ugd/ee4a13_883a1f8de5bd427e93a8eb013f52628b.pdf
    • https://cdn.shopify.com/s/files/1/0438/0868/6237/files/52195947228.pdf
    • https://cdn.shopify.com/s/files/1/0440/0598/2366/files/93596060697.pdf
    • https://cdn.shopify.com/s/files/1/0432/0080/7070/files/33108452739.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064fe.bin
b5996723e315a0a4cc0567e6bfce9725f0e62932d0182770df4a7618e1879c0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64FE 5596 bytes
font_01_sfnt_off00007832.bin
bb4f39830ad966cae73c5bd34d30edcf4e1f17f092cb895dc9b0ffe412c6c4f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7832 10668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.