Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f9d18fe417624e0…

MALICIOUS

PDF

41.3 KB Created: 2020-08-15 08:21:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b5283bef9d7477b5aef37d3aa119de6 SHA-1: 210e5b82e6d1765eab1729a63139d427264d6fec SHA-256: 4f9d18fe417624e09200379e2e31fea73f22fcb060b6e65ba9d2aff6de3c1c65
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm for SEO manipulation. One critical heuristic identified a link to a known malicious redirector, ttraff.ru, which is used to lure users with a fake 'bubbles game apk free' download. This indicates a phishing or scam attempt leveraging a link farm to obscure the malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bubbles+game+apk+free
    • http://files.holbrooktriathlon.com/uploads/1/3/0/8/130874284/885432.pdf
    • http://molujiten.9footvoice.com/uploads/1/3/0/7/130776407/jirefegazasebun-wumonifuxu-dafuvonot-kegidijemasovad.pdf
    • http://files.longnecklagooneec.com/uploads/1/3/0/7/130775856/7051484.pdf
    • https://cdn.shopify.com/s/files/1/0427/8976/5276/files/86908863006.pdf
    • https://cdn.shopify.com/s/files/1/0430/8421/8532/files/rojeduwupurene.pdf
    • https://cdn.shopify.com/s/files/1/0431/0486/2375/files/dusizoku.pdf
    • https://cdn.shopify.com/s/files/1/0432/9114/8444/files/wefilumuva.pdf
    • https://cdn.shopify.com/s/files/1/0431/7003/7917/files/visogijanobenutasimu.pdf
    • https://cdn.shopify.com/s/files/1/0435/0925/2250/files/49067168551.pdf
    • https://cdn.shopify.com/s/files/1/0428/0690/2950/files/the_official_boyfriend_application.pdf
    • https://cdn.shopify.com/s/files/1/0428/3708/2271/files/nibizesukese.pdf
    • https://cdn.shopify.com/s/files/1/0433/3440/2216/files/sap_pneumonia_pada_anak.pdf
    • https://cdn.shopify.com/s/files/1/0440/7797/3654/files/bexawavusezutukeg.pdf
    • https://cdn.shopify.com/s/files/1/0428/6709/7756/files/regubaxakajo.pdf
    • https://cdn.shopify.com/s/files/1/0432/5851/1510/files/maths_all_formulas_in_telugu.pdf
    • https://cdn.shopify.com/s/files/1/0433/6310/6968/files/60180250524.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000641b.bin
647ffa5aac9e908fe89f2d3bc1286af4ad930f8c394d96513288fb0d95a1871e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x641B 5476 bytes
font_01_sfnt_off000076a5.bin
7c663aa96e2c906ae084ba75c9ab6d88281ff414582cbfd5e87adf2901a5bf64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76A5 9884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.