Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b71cd53fe15cf5b…

MALICIOUS

PDF

47.6 KB Created: 2020-08-30 02:09:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3a63ca8dd4f5dd54719d84f504dc466f SHA-1: 47ecc2d72c261f2e53388c1400553d64c5f244af SHA-256: 8b71cd53fe15cf5bd799f29b1b132c75b3d19b400e6433db56503fd986b36925
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with the primary one leading to a Shopify domain. The document body, though heavily obfuscated, contains the same malicious URL and references to 'Libre prestation de service', suggesting a lure for users seeking services. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=libre+prestation+de+service
    • https://cdn.shopify.com/s/files/1/0439/2553/6936/files/address_format_comma_after_state.pdf
    • https://cdn.shopify.com/s/files/1/0428/8705/3471/files/timaguvajefi.pdf
    • https://cdn.shopify.com/s/files/1/0431/8180/1629/files/xazipa.pdf
    • https://cdn.shopify.com/s/files/1/0428/3770/4867/files/tadexamokes.pdf
    • https://static.usrfiles.com/ugd/067ecb_f75df51ac88a4f6fad51d97048ee3fb9.pdf
    • https://cdn.shopify.com/s/files/1/0431/2429/3796/files/7575921512.pdf
    • https://cdn.shopify.com/s/files/1/0430/7052/1495/files/julese.pdf
    • https://static.usrfiles.com/ugd/b8c837_3d041ea95fc0438da95402990f57da6f.pdf
    • https://static.usrfiles.com/ugd/b8c837_001ca50aefdb4b19b522b7c6440b69ce.pdf
    • https://static.usrfiles.com/ugd/d5d855_d881c700abb54c83841d9c97c8dadec1.pdf
    • https://static.usrfiles.com/ugd/a18aa6_43962ffe3ae04f5492df5117c3daa2d4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/d5d855_d881c700a

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dce.bin
f7004eee5f9f76f8901998cb036729bf1af8e26768397af05e7cf0ee813264cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DCE 4964 bytes
font_01_sfnt_off00007eb1.bin
9be20be6b49aa0328beaf1cb1d912eef990c440ed1504063fbdb8c52b9c9c5d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EB1 11592 bytes
font_02_sfnt_off0000a37a.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA37A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.