Malicious PDF — malware analysis report

Static analysis result for SHA-256 930ff3956cf2ffea…

MALICIOUS

PDF

50.8 KB Created: 2020-08-07 23:00:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be232dfc3f0ebf0c006c27d11b16e0d3 SHA-1: c16d67b2e52828efef418f746b348f5547b2c579 SHA-256: 930ff3956cf2ffea7afd95f585d48cb9bc78b062f171293b7085e5ec765f857e
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. Additionally, it exhibits a PDF link farm heuristic, with numerous links, many hosted on 'cdn.shopify.com'. The document body, though heavily obfuscated, contains the same redirector URL. This suggests the primary purpose is to lure users to malicious sites via these links.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=antioxidant+activity+of+centella+asiatica+pdf
    • http://files.greenharboryc.com/uploads/1/3/1/0/131070826/3516765.pdf
    • http://files.hmsplymouthassociation.org/uploads/1/3/1/6/131608037/7846892.pdf
    • http://files.fossilcreekfamilymedicalcenter.com/uploads/1/3/1/3/131383848/2b5df3ce.pdf
    • http://files.inspiring-tomorrows-leaders.com/uploads/1/3/1/3/131382148/vojafanelajoxibawine.pdf
    • https://cdn.shopify.com/s/files/1/0432/5949/4555/files/womukodifofifabapajivoxi.pdf
    • https://cdn.shopify.com/s/files/1/0430/1642/1529/files/70355361454.pdf
    • https://cdn.shopify.com/s/files/1/0438/5370/9472/files/pimumexatitulibubati.pdf
    • https://cdn.shopify.com/s/files/1/0437/3096/0536/files/goririjolugasaxanuviret.pdf
    • https://cdn.shopify.com/s/files/1/0433/3263/2730/files/74691151048.pdf
    • https://cdn.shopify.com/s/files/1/0429/9590/8761/files/tumapukutotegiwozadafite.pdf
    • https://cdn.shopify.com/s/files/1/0436/4389/5958/files/69409690155.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gekisemegudifusoledo.pdf
    • https://cdn.shopify.com/s/files/1/0434/6239/4021/files/xaxose.pdf
    • https://cdn.shopify.com/s/files/1/0430/1789/6089/files/godedetoxapolekiwija.pdf
    • https://cdn.shopify.com/s/files/1/0429/5743/9129/files/48780763324.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000086ee.bin
5dc1af71fdde1d380f3234177b0fd555b0499066a601d01106b7e44c100ba8ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86EE 5272 bytes
font_01_sfnt_off0000990c.bin
e2fe4254b6b660424a6d00865ec8f81d18c2e6d4366e4c7e5fcfd3a513dc0f99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x990C 10872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.