Malicious PDF — malware analysis report

Static analysis result for SHA-256 50d1af4259e556fc…

MALICIOUS

PDF

59.0 KB Created: 2020-08-31 02:10:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 635fc2050cff0d37299c5eb276f9d368 SHA-1: 408835ad822cd981e17362d14ee0f1d7704011de SHA-256: 50d1af4259e556fc7a333dfeeaba74cc2795c50e05486bb382e09cd9897b4bfd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=blender+2.8+2.79+theme'. Additionally, it exhibits characteristics of a PDF SEO link farm, embedding numerous external links, with 'https://cdn.shopify.com/s/files/1/0434/7199/5030/files/atom_bomb_picture_ing.pdf' being the first identified. The document body, though heavily corrupted, contains fragments of these URLs, suggesting the primary intent is to trick users into clicking these links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=blender+2.8+2.79+theme
    • https://cdn.shopify.com/s/files/1/0434/7199/5030/files/atom_bomb_picture_ing.pdf
    • https://cdn.shopify.com/s/files/1/0428/9495/0559/files/pabirofuzawewowigubiwitis.pdf
    • https://cdn.shopify.com/s/files/1/0432/7702/5446/files/98630926285.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/81108552740.pdf
    • https://static.usrfiles.com/ugd/3e9e83_4ee8b7b0ab4d4198b299696227a0328e.pdf
    • https://static.usrfiles.com/ugd/77941b_c3616321db7246edb39c197267ca971b.pdf
    • https://static.usrfiles.com/ugd/bae363_e5c84c1960f74c3e96a49aa2577f16d6.pdf
    • https://static.usrfiles.com/ugd/b8c837_1b66c7751e714042a13b12e666979b85.pdf
    • https://static.usrfiles.com/ugd/3f4b99_5ad3b1c0b39c453280bb8bc7227f4c1e.pdf
    • https://static.usrfiles.com/ugd/b8c837_7d8586bf3212426fb32932096271e795.pdf
    • https://static.usrfiles.com/ugd/0fdb6d_2587686a26054926b06be5cdbdeba2ea.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a9d9.bin
122e33413e601f0ec82d4cfc639e35ebd2917f6ed50ece6d167c6f0c5979a160		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA9D9 5320 bytes
font_01_sfnt_off0000bbcc.bin
4619be4a8fb21c2eac13d3995a5f3da07232fe1f877898c0d62c143e6c08302a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBCC 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.