Malicious PDF — malware analysis report

Static analysis result for SHA-256 586ad24778a48dfa…

MALICIOUS

PDF

60.9 KB Created: 2020-07-30 06:29:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4dc3edf4525f23301ef2a35f2a94ea54 SHA-1: 465897ab87c9846659753e2c2a239f0cb19ac838 SHA-256: 586ad24778a48dfa55cd92d169e0b471ffea52c2fb559d146aa336d3c84b0932
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK pointing to 'ttraff.ru'. Another critical heuristic, PDF_SEO_LINK_FARM, indicates a large number of external PDF links, with the first being a Shopify URL. The document body, though heavily obfuscated, contains keywords related to PDF and the redirector URL, suggesting a lure to external content. The primary intent appears to be redirecting users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=estenosis+acueducto+de+silvio+pdf
    • http://files.cardiac-imaging.org/uploads/1/3/0/7/130775715/5675573.pdf
    • http://files.tinworksfabrication.com/uploads/1/3/0/7/130739275/237ff11050675c5.pdf
    • http://files.jmcm-uganda.com/uploads/1/3/0/8/130814984/2168544.pdf
    • http://files.stjohnshighlegh.org/uploads/1/3/2/3/132303373/sarerelijubop_simesa_gotixi_jenuwugu.pdf
    • http://files.tinworksfabrication.com/uploads/1/3/0/7/130
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52665001447.pdf
    • https://cdn.shopify.com/s/files/1/0430/6305/0394/files/68816069943.pdf
    • https://cdn.shopify.com/s/files/1/0429/4069/4684/files/38251923203.pdf
    • https://cdn.shopify.com/s/files/1/0429/5042/6780/files/3130956272.pdf
    • https://cdn.shopify.com/s/files/1/0437/6897/1418/files/wunovulexugelerin.pdf
    • https://cdn.shopify.com/s/files/1/0430/6350/9146/files/57164815650.pdf
    • https://cdn.shopify.com/s/files/1/0434/2457/9736/files/13601017626.pdf
    • https://cdn.shopify.com/s/files/1/0430/0279/0039/files/wazorum.pdf
    • https://cdn.shopify.com/s/files/1/0438/4620/5602/files/94494812290.pdf
    • https://cdn.shopify.com/s/files/1/0440/0221/4046/files/tisevowegugilirifizadisaj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000af45.bin
bb58346e914f00e5c2342d6473544cbe964ead90dc634dc15fe4376abff616dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF45 4952 bytes
font_01_sfnt_off0000c038.bin
57a6ac5b3b5af9ba0061e12ba13a16edde583fc95c44b3530195a15b1ee96fe7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC038 11260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.