Malicious PDF — malware analysis report

Static analysis result for SHA-256 838e84a00666e1b2…

MALICIOUS

PDF

35.9 KB Created: 2020-08-11 04:45:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 279ae38adc933faf0d48502d95a50762 SHA-1: 1e263e79a13530575b182314ad859a8316ad65f7 SHA-256: 838e84a00666e1b288b1408ca0a8e9315ea99d5e001e6b28b02fa00cfad46b81
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.ru'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs hosted on platforms like Shopify. The document body, though heavily obfuscated, contains the same malicious URL and appears to be a lure for a free PDF download, indicated by the presence of a 'Download Now' type phrase. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=fundamentals+of+mathematical+statistics+by+gupta+and+kapoor+free+pdf
    • http://files.thekentuckynational.com/uploads/1/3/0/7/130739918/kutewevoge.pdf
    • http://files.sbresourcegrp.com/uploads/1/3/0/9/130969312/1e4fa7.pdf
    • http://files.dennispearne.com/uploads/1/3/2/6/132682739/8258270.pdf
    • https://cdn.shopify.com/s/files/1/0434/8595/4198/files/vivevusudetusetutiruvilon.pdf
    • https://cdn.shopify.com/s/files/1/0440/8590/3510/files/centrales_hidroelectricas_en_chile.pdf
    • https://cdn.shopify.com/s/files/1/0431/5247/4267/files/wasoriwip.pdf
    • https://cdn.shopify.com/s/files/1/0429/2732/5343/files/51428439313.pdf
    • https://cdn.shopify.com/s/files/1/0439/0794/0520/files/83486162706.pdf
    • https://cdn.shopify.com/s/files/1/0432/4681/3344/files/38119162317.pdf
    • https://cdn.shopify.com/s/files/1/0437/8198/0317/files/94517099374.pdf
    • https://cdn.shopify.com/s/files/1/0438/0327/9517/files/rfid_based_attendance_system_report.pdf
    • https://cdn.shopify.com/s/files/1/0434/6786/6265/files/nifoteniduxid.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/93616534700.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c54.bin
35d26fa0c3617ce84646a3cd10764eb137053929c81c03b38ec5a414f87e53cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C54 5832 bytes
font_01_sfnt_off00006000.bin
96a441740454428b4179b5e880790dbd9c6d1b8935fadbd0babdf3cfadd6ad94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6000 9968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.