Malicious PDF — malware analysis report

Static analysis result for SHA-256 85dba0501fa4d233…

MALICIOUS

PDF

43.2 KB Created: 2020-08-03 22:38:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7998f29b5f060aed23a649cf94e59028 SHA-1: 6463628ea2724da6e026f95c80a4551200321108 SHA-256: 85dba0501fa4d233d3ffb314b10e3099fa5bc79032f868cbb2fa3e1bf36bbaf7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is likely used to funnel victims to malicious content. The document body, though heavily obfuscated, contains the same URL and appears to be a lure for 'boosting self esteem'. The presence of numerous other PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to increase visibility. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=boosting+self+esteem+pdf
    • http://files.brightyellowministries.com/uploads/1/3/0/9/130969573/1564683.pdf
    • http://files.eugenesoundproofing.com/uploads/1/3/2/3/132302960/bejaguni-mogamuvodewefe.pdf
    • http://files.bioenergeticsberlin.com/uploads/1/3/1/6/131636689/9171571.pdf
    • http://files.zatoluxury.com/uploads/1/3/0/9/130969545/nefojubig-bibobaxugesu-josajomuju-tuvaregexiwe.pdf
    • https://cdn.shopify.com/s/files/1/0437/2506/2298/files/giwejoxuxodulizoxupiva.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lavijado.pdf
    • https://cdn.shopify.com/s/files/1/0430/3018/4098/files/94653240165.pdf
    • https://cdn.shopify.com/s/files/1/0428/5582/5567/files/24251133208.pdf
    • https://cdn.shopify.com/s/files/1/0431/2583/3884/files/71468869364.pdf
    • https://cdn.shopify.com/s/files/1/0440/4533/6726/files/2331024105.pdf
    • https://cdn.shopify.com/s/files/1/0429/1425/0919/files/99482441994.pdf
    • https://cdn.shopify.com/s/files/1/0430/2408/9242/files/xofefupuzusasabavuze.pdf
    • https://cdn.shopify.com/s/files/1/0433/9109/0844/files/80131363908.pdf
    • https://cdn.shopify.com/s/files/1/0430/5554/6517/files/52512098915.pdf
    • https://cdn.shopify.com/s/files/1/0440/3780/0086/files/kafik.pdf
    • https://cdn.shopify.com/s/files/1/0435/2753/6799/files/xenudunonagi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cb1.bin
54910e08ed5a6f2a41ec23d7c86fc567963702dea2a103cb9d15739134941f60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CB1 5104 bytes
font_01_sfnt_off00007e0a.bin
12a4dcca318e9f720e6345bc4b794eee0a183e8f855b7de0a54a2f87c8649304		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E0A 9976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.