Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fcac9d5ce28d1a7…

MALICIOUS

PDF

41.5 KB Created: 2020-07-24 09:02:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 930251bc0b9594173a5f389ff99753cb SHA-1: 00a5156b8554197e122b5b140f774bcc0813f5bc SHA-256: 7fcac9d5ce28d1a7823410bdd669c7db32a8ac0d248ca5b8d4ad4af5c1976eff
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with the heuristic PDF_SEO_LINK_FARM indicating a link farm. One of these links, https://ttraff.ru/pify?keyword=adding+doubles+worksheet+pdf, is flagged as a malicious redirector. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, which aligns with the presence of numerous external links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=adding+doubles+worksheet+pdf
    • http://files.tailor-madefitness.com/uploads/1/3/1/8/131872079/jafubujiki-risozodofed.pdf
    • http://files.lifestylehealth12.com/uploads/1/3/1/6/131636988/a790bd70c.pdf
    • http://files.aclinlab.org/uploads/1/3/2/3/132303322/6d11f.pdf
    • https://cdn.shopify.com/s/files/1/0430/5590/6973/files/11416190363.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/47184882359.pdf
    • https://cdn.shopify.com/s/files/1/0432/9072/2469/files/54511847380.pdf
    • https://cdn.shopify.com/s/files/1/0434/2287/5797/files/81791851581.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vuxevitilikibuvenimomabu.pdf
    • https://cdn.shopify.com/s/files/1/0432/7076/6750/files/77796772131.pdf
    • https://cdn.shopify.com/s/files/1/0432/6745/7188/files/66854556359.pdf
    • https://cdn.shopify.com/s/files/1/0433/0107/7142/files/duzejininafeti.pdf
    • https://cdn.shopify.com/s/files/1/0431/7180/7394/files/26448605696.pdf
    • https://cdn.shopify.com/s/files/1/0439/2439/0056/files/45762759654.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006526.bin
a0819285b18cafa029074ad8b8aba69ee3f9c5b3c1ead3e693a869769d44b1d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6526 5260 bytes
font_01_sfnt_off0000770c.bin
4b50a6ae7b33423fc9fa50d88c5920f687553a7b6eed2079bf16383fcc8cbd37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x770C 10036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.