Malicious PDF — malware analysis report

Static analysis result for SHA-256 581365b48f40b67f…

MALICIOUS

PDF

50.9 KB Created: 2020-08-28 00:49:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 47665bf2c56ef7f1954683556c4b3e95 SHA-1: a202737009b4c5769e9a9ba79a2066ac7dca076b SHA-256: 581365b48f40b67f5215f7fef4f5d9acb5b65f6c9ab43edcd8b78de88c25b50e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded URLs, forming a link farm. One of these URLs, https://ttraff.ru/pify?keyword=rc24914+e+universal+remote+codes, is identified as a malicious redirector. The document body, though heavily obfuscated, contains references to this URL and other PDF files hosted on Shopify, suggesting a lure to a malicious site. The primary attack pattern involves redirecting users through a chain of links to a malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=rc24914+e+universal+remote+codes
    • http://paxavi.reasonandjustice.com/uploads/1/3/1/4/131437425/14abc4.pdf
    • http://files.natureandcultures.net/uploads/1/3/0/9/130969448/lidopevudum.pdf
    • https://cdn.shopify.com/s/files/1/0430/0200/3609/files/75993054479.pdf
    • https://cdn.shopify.com/s/files/1/0431/3684/3933/files/98363787817.pdf
    • https://cdn.shopify.com/s/files/1/0432/0467/3699/files/xosukasedaludage.pdf
    • https://cdn.shopify.com/s/files/1/0440/1712/3486/files/a_level_further_maths_notes.pdf
    • https://cdn.shopify.com/s/files/1/0434/0521/3852/files/xufevevaz.pdf
    • https://cdn.shopify.com/s/files/1/0431/5214/6587/files/86048784680.pdf
    • https://cdn.shopify.com/s/files/1/0431/2429/3796/files/70913047093.pdf
    • https://cdn.shopify.com/s/files/1/0431/7950/7870/files/29705431372.pdf
    • https://cdn.shopify.com/s/files/1/0431/3199/4280/files/latest_bollywood_movies_online_2018.pdf
    • https://cdn.shopify.com/s/files/1/0428/6093/7382/files/free_yearly_calendar_template_excel.pdf
    • https://cdn.shopify.com/s/files/1/0439/1983/5304/files/airplane_games_uptodown.pdf
    • https://cdn.shopify.com/s/files/1/0433/7732/8278/files/differential_calculus_by_gorakh_prasad_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/2204/0731/files/94935176540.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007ec1.bin
8fbf3d27ae25477d42f47c151b96d16e96e5707fa4d6d9543d642a26ef58e3a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EC1 5580 bytes
font_01_sfnt_off000091ae.bin
7aee5e643f9c2360f24f92f172e1b2f28e3528e52a7fe7ae8b6488549607d677		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91AE 14464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.