Malicious PDF — malware analysis report

Static analysis result for SHA-256 57a1b4eb2d0e464d…

MALICIOUS

PDF

45.2 KB Created: 2020-08-18 22:17:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b46705f9aafdb96281870d92c7c95ec SHA-1: b09d6951d12aefbf5f1ccee0b973a82ed3c82bfd SHA-256: 57a1b4eb2d0e464d81df4819e75edb424091d4edc366b793d75e3bf27abcbeae
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=serial+song++mr+jatt'. This URL is presented within the document body, suggesting a social engineering lure to trick users into clicking it. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to PDF files hosted on Shopify. The primary malicious URL is likely intended to redirect the user to a further malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=serial+song++mr+jatt
    • http://dutejox.nonprofitjourney.org/uploads/1/3/1/6/131637136/2353304.pdf
    • https://cdn.shopify.com/s/files/1/0429/7926/2615/files/54933404230.pdf
    • https://cdn.shopify.com/s/files/1/0431/5290/0260/files/nawolidisafiwog.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/9467339244.pdf
    • https://cdn.shopify.com/s/files/1/0431/5165/5061/files/verbal_ability_questions_for_cat.pdf
    • https://cdn.shopify.com/s/files/1/0438/1723/8685/files/jojigozemivotavabuxil.pdf
    • https://cdn.shopify.com/s/files/1/0436/7345/2697/files/82476505256.pdf
    • https://cdn.shopify.com/s/files/1/0440/9065/4870/files/93553151882.pdf
    • https://cdn.shopify.com/s/files/1/0428/9635/9580/files/50199995126.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/visaboxe.pdf
    • https://cdn.shopify.com/s/files/1/0447/7183/6055/files/basic_interview_questions_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e55.bin
50dcaa252c1a225cd4774ec2cea8130cc6b9807fd3585d96ca079a16b256297b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E55 5184 bytes
font_01_sfnt_off00006fd8.bin
8c34fa7fadbc46febc2162f37715002b71491985baf9a6d4a0764d5c9725121d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FD8 10252 bytes
font_02_sfnt_off00009300.bin
ea75db71c9df7250347a03039f742fcd189f5fc3f08964e696816fa8b5227073		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9300 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.