Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bf5011df7d56b70…

MALICIOUS

PDF

42.4 KB Created: 2020-08-13 14:27:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 566c9f9f6b1ea8bdb3b5aaae9e1a16df SHA-1: 9f41f7822f8d354cc864eff5bbd58365099f8870 SHA-256: 4bf5011df7d56b70a07720917ecece7ea0d6c0592edb02a3c6924d60f5534619
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded URLs, a technique often used in link farms for SEO manipulation or to obscure malicious destinations. One critical heuristic firing indicates a direct link to a known malicious redirector at 'ttraff.ru'. This suggests the document's primary purpose is to lure users to malicious infrastructure. No scripts were extracted, and the document body is heavily obfuscated, but the presence of the malicious redirector link is a strong indicator of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=different%20types%20of%20sentences%20worksheet
    • http://files.chippewakeryx.org/uploads/1/3/1/8/131856212/163363c1b.pdf
    • http://files.akmknit.com/uploads/1/3/1/3/131383771/piberajubupudukilor.pdf
    • http://files.ostervillegardenclub.org/uploads/1/3/1/1/131163740/kamux.pdf
    • https://cdn.shopify.com/s/files/1/0435/8003/1137/files/tupabojivop.pdf
    • https://cdn.shopify.com/s/files/1/0435/9972/4702/files/bagopetunuwatexe.pdf
    • https://cdn.shopify.com/s/files/1/0430/0200/3615/files/metal_gear_solid_gamecube.pdf
    • https://cdn.shopify.com/s/files/1/0434/5508/6742/files/16875765089.pdf
    • https://cdn.shopify.com/s/files/1/0434/4106/2040/files/poppy_avi.pdf
    • https://cdn.shopify.com/s/files/1/0437/3492/5463/files/electronics_multiple_choice_questions_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0432/3688/4642/files/miban.pdf
    • https://cdn.shopify.com/s/files/1/0431/5712/7336/files/blutooth_headset_ps3.pdf
    • https://cdn.shopify.com/s/files/1/0449/3528/2856/files/one_last_breath_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0430/7792/7063/files/79962447691.pdf
    • https://cdn.shopify.com/s/files/1/0447/0787/2921/files/mark_de_lisle_navy_seal_workout.pdf
    • https://cdn.shopify.com/s/files/1/0434/9244/2277/files/38781353795.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066fa.bin
56c5e978318d0439cf87348e43073c7a4615a755b05355506f12ee92a9413ae0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66FA 5116 bytes
font_01_sfnt_off00007885.bin
c66dcc3abcdc195cb46957a75f273e0e9cefdd576141c2f11469f98125fc4e92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7885 10552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.