Malicious PDF — malware analysis report

Static analysis result for SHA-256 7dec7728e76d5879…

MALICIOUS

PDF

42.5 KB Created: 2020-08-12 15:52:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79046add0b3bd82af3086aef33eb201f SHA-1: 9bdb1ab1873dda865fe37de06c7d26646962c7b9 SHA-256: 7dec7728e76d5879345f6eead4bedf4f20a6ee73e845179f1b34ee029c4e0070
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=embryologie+du+tube+digestif+pdf'. This indicates the document is designed to redirect users to malicious infrastructure. The PDF also contains a large number of external links, suggesting a link farm or SEO poisoning tactic to distribute the malicious content. No scripts were extracted, but the presence of the malicious redirector URL is sufficient evidence of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=embryologie+du+tube+digestif+pdf
    • http://files.pieplacechatt.com/uploads/1/3/1/4/131483138/b2bd10ce9.pdf
    • http://files.salemsong.org/uploads/1/3/1/6/131637701/lafotewamopafex-fefageje-potajebisikez.pdf
    • http://files.courtneytravels.blog/uploads/1/3/1/4/131406885/20409821677efd8.pdf
    • http://files.newlearnerlab.com/uploads/1/3/1/8/131856244/dezipejuribekinenu.pdf
    • https://cdn.shopify.com/s/files/1/0432/8397/2256/files/84219220783.pdf
    • https://cdn.shopify.com/s/files/1/0434/2641/4749/files/85016436958.pdf
    • https://cdn.shopify.com/s/files/1/0433/5111/3883/files/eric_ambler_books.pdf
    • https://cdn.shopify.com/s/files/1/0430/9693/2501/files/pivum.pdf
    • https://cdn.shopify.com/s/files/1/0428/2885/7503/files/nupizizudifunakiliji.pdf
    • https://cdn.shopify.com/s/files/1/0431/7003/7924/files/70173267905.pdf
    • https://cdn.shopify.com/s/files/1/0431/8678/2369/files/xumufapux.pdf
    • https://cdn.shopify.com/s/files/1/0438/8713/2827/files/python_udp_server.pdf
    • https://cdn.shopify.com/s/files/1/0429/2666/9987/files/62463533873.pdf
    • https://cdn.shopify.com/s/files/1/0434/2874/1272/files/mikijemadegusavazusuf.pdf
    • https://cdn.shopify.com/s/files/1/0429/0763/1782/files/ranetixejipiz.pdf
    • https://cdn.shopify.com/s/files/1/0434/7245/3784/files/arkham_city_cheats.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065b9.bin
bb80b744c6569e8f436759e7e1480fc6ddb701e0ae33ad738761978f61b8ef2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65B9 5352 bytes
font_01_sfnt_off000077de.bin
cf4f5cb1db0310b78dbc42718cab225c79970710a06b3f13b31c43edc1f53833		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77DE 11308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.