Malicious PDF — malware analysis report

Static analysis result for SHA-256 930d89fff5614f54…

MALICIOUS

PDF

44.2 KB Created: 2020-08-03 12:53:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 471912cc1f0164f680e34a36c0b6836a SHA-1: f2840ee295cd65c590fbfb849ee8c9243c9953d0 SHA-256: 930d89fff5614f545b1f5690ab3f9d9de7398bc3f18791eaf0a889ce6f0c4516
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=blank+behavior+chart+pdf'. This URL is presented within the document body, suggesting a social engineering lure. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many hosted on Shopify. The primary malicious URL is likely intended to redirect the user to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=blank+behavior+chart+pdf
    • http://files.alexabowman.com/uploads/1/3/2/8/132816195/9766182.pdf
    • http://files.sopoochtraining.com/uploads/1/3/2/8/132815961/kawivibugakovuj.pdf
    • http://files.freshmans.org/uploads/1/3/0/7/130740477/nofil_jituxet_zexezixarutelam.pdf
    • http://files.tarekyounis.org/uploads/1/3/0/7/130776823/79d84a.pdf
    • http://files.zithuleleresearch.org/uploads/1/3/1/4/131483336/f79abe1391.pdf
    • https://cdn.shopify.com/s/files/1/0432/1076/8546/files/11725565071.pdf
    • https://cdn.shopify.com/s/files/1/0435/2750/4032/files/simesejegafabarugut.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6965/files/88290701914.pdf
    • https://cdn.shopify.com/s/files/1/0435/6869/3407/files/78526048982.pdf
    • https://cdn.shopify.com/s/files/1/0431/6761/3087/files/sunade.pdf
    • https://cdn.shopify.com/s/files/1/0429/6327/1833/files/6920145845.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/japoxotoruzub.pdf
    • https://cdn.shopify.com/s/files/1/0429/2929/1427/files/femexugoxamabupaderobobod.pdf
    • https://cdn.shopify.com/s/files/1/0437/2607/8106/files/78906223537.pdf
    • https://cdn.shopify.com/s/files/1/0433/9820/1502/files/bubunezukep.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f21.bin
81d9fac2a9affa662555f6095afd5c6a899e9dd83ecfd9bfd6c338ae91910055		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F21 5376 bytes
font_01_sfnt_off00008167.bin
d7e8156d7c1b26c815703c90f6d15ac46ec13856572ec41289cc5dcd51328f78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8167 10028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.