Malicious PDF — malware analysis report

Static analysis result for SHA-256 877ef35258062314…

MALICIOUS

PDF

33.6 KB Created: 2020-08-10 06:27:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ce58efc0ff3b3f15ec4e9bdd7bc96ba SHA-1: df4a655373a015ed03000b804304e0604b167aa4 SHA-256: 877ef352580623148dfdcd2e3978507f4c9267a601c52d41f9e1854a7c0d44b8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on Shopify. The primary malicious indicator is a link to `ttraff.ru`, a known malicious redirector, which is presented as an 'alcatel u5 manual pdf'. This suggests the document is part of a phishing or malware distribution campaign, using a seemingly innocuous document to redirect users to malicious infrastructure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=alcatel+u5+manual+pdf
    • http://files.judithmcosta.com/uploads/1/3/1/4/131437983/4a947cc6a44.pdf
    • http://files.rotterdamenglishspeakingtheatre.nl/uploads/1/3/2/8/132814343/4064905.pdf
    • http://files.smithfieldarts.com/uploads/1/3/0/8/130874370/mudidosawukapif.pdf
    • https://cdn.shopify.com/s/files/1/0440/2728/1558/files/42962500141.pdf
    • https://cdn.shopify.com/s/files/1/0431/0482/9602/files/tefapupupenopuwiji.pdf
    • https://cdn.shopify.com/s/files/1/0429/2627/6775/files/37347871065.pdf
    • https://cdn.shopify.com/s/files/1/0431/0892/5602/files/15594179446.pdf
    • https://cdn.shopify.com/s/files/1/0430/7235/6505/files/how_to_install_opencv_on_raspberry_pi.pdf
    • https://cdn.shopify.com/s/files/1/0440/1161/8462/files/footprints_in_the_sand_poem.pdf
    • https://cdn.shopify.com/s/files/1/0428/0582/1599/files/39789244357.pdf
    • https://cdn.shopify.com/s/files/1/0434/5144/9504/files/pojixulerufabe.pdf
    • https://cdn.shopify.com/s/files/1/0429/8375/1831/files/najurixuginasolizazaxedon.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004672.bin
336c0a3fc5feb94bb1b9238450f9c88e99d19490af4dc925466a0da9c4b2fd1b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4672 5140 bytes
font_01_sfnt_off000057e9.bin
c36de6ff5576474480b5b442fc68bc34280410cda9fd76ae838b2ab0146bddee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57E9 10072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.