Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d89e6338108e165…

MALICIOUS

PDF

39.3 KB Created: 2020-08-04 19:56:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f36d1296996f0cb48cbb7b7594211d8 SHA-1: beb40d39193deabf428fc3f19ac05aed304c25ed SHA-256: 8d89e6338108e165e79bcb98ef5ba4512981640932122111e48485cca034dc6b
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a critical redirector link to 'ttraff.ru', indicating a malicious redirection attempt. The document body, though heavily obfuscated, contains the same malicious URL and several benign-looking Shopify URLs, suggesting a lure for free software that ultimately leads to a malicious site. No scripts were extracted from this sample.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=cadsofttools+pdf+to+dwg+free
    • http://files.jolvi.ca/uploads/1/3/2/7/132712661/mezoxereja_nutopofeja_badudazate_tunutujo.pdf
    • http://files.ctascet.org/uploads/1/3/2/6/132681352/7216e.pdf
    • http://files.fashinfidelity.com/uploads/1/3/2/7/132712209/zejus.pdf
    • http://files.southcreekcandleco.shop/uploads/1/3/1/4/131437702/sasiwevolijunokixoj.pdf
    • https://cdn.shopify.com/s/files/1/0431/8648/7455/files/84877572528.pdf
    • https://cdn.shopify.com/s/files/1/0434/7923/6774/files/kirby_vacuum_repair_manual.pdf
    • https://cdn.shopify.com/s/files/1/0434/0737/6542/files/ps4_minecraft_seed_map.pdf
    • https://cdn.shopify.com/s/files/1/0437/4321/5767/files/the_aud_club.pdf
    • https://cdn.shopify.com/s/files/1/0433/2909/3784/files/mijuw.pdf
    • https://cdn.shopify.com/s/files/1/0437/9167/9648/files/42._3655_71._1221.pdf
    • https://cdn.shopify.com/s/files/1/0434/1697/7559/files/jidozumogumufamiwu.pdf
    • https://cdn.shopify.com/s/files/1/0429/0641/9367/files/xavegewopisafadof.pdf
    • https://cdn.shopify.com/s/files/1/0436/9845/4682/files/20238726848.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ae6.bin
b9c2a7d3fd1a3e4df8066edc03edccbf8c396515690c4ff89a6136fced5c0fbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AE6 5208 bytes
font_01_sfnt_off00006cbc.bin
901d3ff14d23300547e47e925b819fc7932dc6f93005df06741c2ec1e6b5f6cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CBC 10576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.