Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ad6494f10e506fd…

MALICIOUS

PDF

41.4 KB Created: 2020-09-02 01:03:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e3ebedc24a5fb23f6530e760f226765 SHA-1: 750701eacaeb618e1099460e862dbe500fcc8241 SHA-256: 7ad6494f10e506fdd04349dde4d1844e0419a8fb485f35ad942bcce4bef90549
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. Additionally, it exhibits a PDF link farm heuristic, with numerous links hosted on Shopify. The document body, though heavily obfuscated, contains the text 'Too not enough worksheets' and the malicious URL, suggesting a lure to a phishing or malware distribution site. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=too+not+enough+worksheets
    • https://cdn.shopify.com/s/files/1/0436/5680/6553/files/38171336431.pdf
    • https://cdn.shopify.com/s/files/1/0428/3976/9254/files/john_blanchard_books.pdf
    • https://cdn.shopify.com/s/files/1/0428/3770/4867/files/4735297709.pdf
    • https://cdn.shopify.com/s/files/1/0433/3663/0422/files/baxejofasobizafuxules.pdf
    • https://cdn.shopify.com/s/files/1/0429/1421/8151/files/10462827090.pdf
    • https://cdn.shopify.com/s/files/1/0428/1827/3446/files/35341056865.pdf
    • https://cdn.shopify.com/s/files/1/0432/3265/7575/files/2977241533.pdf
    • https://cdn.shopify.com/s/files/1/0429/8414/5049/files/sunbeam_heating_pad_flashing_f.pdf
    • https://cdn.shopify.com/s/files/1/0440/2964/0854/files/jabawebapu.pdf
    • https://cdn.shopify.com/s/files/1/0430/6495/0945/files/24642757937.pdf
    • https://cdn.shopify.com/s/files/1/0432/0506/6913/files/lemexalulubepomibo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006393.bin
9a0cb8ad7ec9094adbdf4aa0055027a2e153abbcb0a52a6fc7f2f0f853610541		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6393 4812 bytes
font_01_sfnt_off00007407.bin
eff837c63b655897667b631d488b43a5b8badccff656650decb7598e0b18668c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7407 11012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.