Malicious PDF — malware analysis report

Static analysis result for SHA-256 921c33b80728cdf9…

MALICIOUS

PDF

47.4 KB Created: 2020-08-14 18:32:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3eca27df068d30cf3752205776b5ba2c SHA-1: 6646d4bd333bc2e94c6fba6f7ea27bf08a2a4dcd SHA-256: 921c33b80728cdf91cd063dacc2d070ad62ab19863e6ef958be0d83cd8f10bf3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on Shopify. One of the primary links, however, directs to 'ttraff.ru', identified as a malicious redirector. The document body, though heavily obfuscated, contains the same URL, suggesting the primary intent is to redirect the user to malicious infrastructure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=venomancer+dotabuff+guide
    • http://files.rioxpvista.com/uploads/1/3/1/6/131637034/36c763c9765.pdf
    • http://files.clunkk.com.au/uploads/1/3/2/6/132680808/jezexinemiko-nebasadaxonike-davolapuvatujet-rasalogupusi.pdf
    • https://cdn.shopify.com/s/files/1/0434/7405/9426/files/smallville_season_1.pdf
    • https://cdn.shopify.com/s/files/1/0430/7176/6695/files/cambio_de_a_word_online_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/24370467333.pdf
    • https://cdn.shopify.com/s/files/1/0432/0080/7070/files/30758444209.pdf
    • https://cdn.shopify.com/s/files/1/0428/7217/6799/files/84321406938.pdf
    • https://cdn.shopify.com/s/files/1/0449/5199/4536/files/doxanotowivi.pdf
    • https://cdn.shopify.com/s/files/1/0429/7113/6154/files/momogixejufibitax.pdf
    • https://cdn.shopify.com/s/files/1/0434/2284/3036/files/sarukaw.pdf
    • https://cdn.shopify.com/s/files/1/0432/9888/1704/files/28987680445.pdf
    • https://cdn.shopify.com/s/files/1/0439/0112/4760/files/64194802250.pdf
    • https://cdn.shopify.com/s/files/1/0429/6497/5765/files/33939139442.pdf
    • https://cdn.shopify.com/s/files/1/0433/7749/2118/files/budismo_principios.pdf
    • https://cdn.shopify.com/s/files/1/0435/2652/0986/files/buried_alive_avenged_sevenfold_tab.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000653b.bin
b619a034a6977cf56dfe93ea860c487f644fa570710e7679bea06764486877a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x653B 5236 bytes
font_01_sfnt_off000076f6.bin
69cc6f0b58019ff4159c1c6b13bea02a1bb1d359c5d769d987f2ae609222f3a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76F6 10216 bytes
font_02_sfnt_off00009a33.bin
e456b5595f6e624407e10960d432782794320480929f7deed69280b081edb597		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A33 16064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.