Malicious PDF — malware analysis report

Static analysis result for SHA-256 918bc6617c6b7850…

MALICIOUS

PDF

55.8 KB Created: 2020-08-20 00:40:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f86f75564584afa5b201c45a2c723da SHA-1: ddcc05b26c288782c431431d1c30eb773d6d8df5 SHA-256: 918bc6617c6b78507f2b3bba886fe12ee8bd43ce9346828b22ba2d861b82adca
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=acute+tubular+necrosis+review+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, including one hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the intent to redirect the user. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=acute+tubular+necrosis+review+pdf
    • http://files.teachwithssb.com/uploads/1/3/1/3/131398338/zevus.pdf
    • http://files.azvrha.com/uploads/1/3/2/6/132681304/donuviguxize-runokaxaw.pdf
    • http://xibewavo.reachwaupun.org/uploads/1/3/0/7/130776603/gugusew_bokot_jajofefomak_sajuzomuwu.pdf
    • http://files.jcacm.org/uploads/1/3/1/1/131164462/7692550.pdf
    • https://cdn.shopify.com/s/files/1/0437/8768/1954/files/49521303287.pdf
    • https://cdn.shopify.com/s/files/1/0428/5143/4652/files/gomejutokesinudozonojok.pdf
    • https://cdn.shopify.com/s/files/1/0427/9622/0572/files/11028202468.pdf
    • https://cdn.shopify.com/s/files/1/0440/1466/5886/files/wazima.pdf
    • https://cdn.shopify.com/s/files/1/0446/8968/6681/files/59010168745.pdf
    • https://cdn.shopify.com/s/files/1/0431/3936/7061/files/biochemistry_mcqs_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/2191/7598/files/87596710107.pdf
    • https://cdn.shopify.com/s/files/1/0436/0660/5981/files/indesign_brand_book_template.pdf
    • https://cdn.shopify.com/s/files/1/0432/9465/4632/files/guvezevejuxib.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009a69.bin
47ad3fdb0b676fdc9222bb14af9f4c73c785994adfaafdc0d0155a4a54633906		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A69 5428 bytes
font_01_sfnt_off0000acfa.bin
3fd456177342c178ef705b9f80152c0fd555722b9a5894bbb6018012142d2c33		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACFA 10972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.