Malicious PDF — malware analysis report

Static analysis result for SHA-256 94dd0456273c7c68…

MALICIOUS

PDF

49.5 KB Created: 2020-08-27 19:54:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 509375e3d186888862aac98277849a36 SHA-1: c5800282f4939ba084368ecfd05ec65e475318c7 SHA-256: 94dd0456273c7c68ad97f39d068edbfd6c20803c8f476159e901774af34c1b57
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a significant portion of which point to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/pify?keyword=keltie+byrne+family', which is flagged as a malicious redirector. The presence of a large number of external PDF links, many hosted on shopify.com, suggests a link farm or SEO poisoning tactic to obscure the malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=keltie+byrne+family
    • http://files.guadalupeschool.com/uploads/1/3/0/7/130739697/zitinumedirolojik.pdf
    • http://zalefuj.midwestroping.com/uploads/1/3/0/9/130969754/6290340.pdf
    • http://files.customerservicetalk.com/uploads/1/3/1/4/131409709/70d6c447d1d.pdf
    • https://cdn.shopify.com/s/files/1/0432/2358/0830/files/conway_functional_analysis_solutions.pdf
    • https://cdn.shopify.com/s/files/1/0432/6581/8789/files/maths_symbols_and_their_names.pdf
    • https://cdn.shopify.com/s/files/1/0431/5611/1520/files/mabipene.pdf
    • https://cdn.shopify.com/s/files/1/0437/6195/9070/files/2_digit_by_2_digit_multiplication_worksheets_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/6801/5260/files/zutadusubefeja.pdf
    • https://cdn.shopify.com/s/files/1/0436/5965/7374/files/77332221829.pdf
    • https://cdn.shopify.com/s/files/1/0433/9118/9157/files/xibumatojonelekasob.pdf
    • https://cdn.shopify.com/s/files/1/0431/8052/3678/files/birumazopuwijin.pdf
    • https://cdn.shopify.com/s/files/1/0435/5502/9141/files/besharam_full_movie_hd_720p_khatrimaza.pdf
    • https://cdn.shopify.com/s/files/1/0433/1762/4990/files/477149558.pdf
    • https://cdn.shopify.com/s/files/1/0432/7692/7142/files/29745344072.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079a9.bin
ab9e079cfca99fa465c027bff3dd59efbecaf55306fac2c9a7666e89f5118a51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79A9 4624 bytes
font_01_sfnt_off00008940.bin
8e98fdc23e371bcb67a4562ca9695d4625e9fde270286ac4af89b9a08c02d288		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8940 9980 bytes
font_02_sfnt_off0000ab6c.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB6C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.