Malicious PDF — malware analysis report

Static analysis result for SHA-256 91534be894285a90…

MALICIOUS

PDF

43.5 KB Created: 2020-08-31 01:47:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9205dea5571c01b4ee3daf2ab8d4f7be SHA-1: 0330c836d5640307020b1070cedad8a6cf9c2c75 SHA-256: 91534be894285a90e9ee365ff48ee1e79b2dc0f176d38a3e208285bf856c0e7a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with 30 links pointing to cdn.shopify.com, indicating a link farm. One critical heuristic identified a PDF link redirecting to known malicious infrastructure at 'https://ttraff.ru/wix?keyword=salario+de+alexandre+fetter'. The document body contains garbled text and the URL 'https://ttraff.ru/wix?keyword=salario+de+alexandre+fetter' is present within the document stream, suggesting a lure to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=salario+de+alexandre+fetter
    • https://cdn.shopify.com/s/files/1/0434/1619/1138/files/telidatizixadus.pdf
    • https://cdn.shopify.com/s/files/1/0428/6621/3031/files/yoruba_kjv_bible.pdf
    • https://cdn.shopify.com/s/files/1/0433/3161/6923/files/ielts_writing_task_2_sample_answer_band_8.pdf
    • https://cdn.shopify.com/s/files/1/0427/6404/2396/files/buxivim.pdf
    • https://cdn.shopify.com/s/files/1/0438/0560/6049/files/79934932457.pdf
    • https://static.usrfiles.com/ugd/e73fea_7639614b8ed7434ea5954f1ec3e764d4.pdf
    • https://static.usrfiles.com/ugd/a1fb72_6ce9027a9ec7458f980d13be21f12b67.pdf
    • https://static.usrfiles.com/ugd/b8c837_c55104c5d7e8479597ff6856ced91dbb.pdf
    • https://cdn.shopify.com/s/files/1/0438/0491/7917/files/pravana_chromasilk_color_chart.pdf
    • https://cdn.shopify.com/s/files/1/0437/0802/2938/files/84906936808.pdf
    • https://cdn.shopify.com/s/files/1/0432/4697/7188/files/pekosid.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dosodasanofesawule.pdf
    • https://static.usrfiles.com/ugd/e33828_bd46b20b6c4f4ea48147fab192323f00.pdf
    • https://static.usrfiles.com/ugd/ab059d_c5de20eb0b2a46eba0bd721177ed5496.pdf
    • https://static.usrfiles.com/ugd/6c032c_73feff8aa3554abf8afafaa802e9e339.pdf
    • https://static.usrfiles.com/ugd/b6bf5b_33b4c32a761c44a5a92fe227b2d5feaf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069c7.bin
90a45269c11e8c61bfc4cff593d56cda7eb4880d675f09959985d3b657a34a9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69C7 4896 bytes
font_01_sfnt_off00007a77.bin
5e5aec186e88cb0c3ccd69408f661712e21bd9219aa29a94d5218b30e6a9496d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A77 11416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.