Malicious PDF — malware analysis report

Static analysis result for SHA-256 959a0954aa95c43d…

MALICIOUS

PDF

42.4 KB Created: 2020-08-23 00:59:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 865f7b7a7cfc83cc47b78aaf25849fb6 SHA-1: 550e3916e268b241f504994d02d5e2cd1ec4751d SHA-256: 959a0954aa95c43dc5c2d04091e3c6d716db599592ad91e2ad57b3ba9009755d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/pify?keyword=tmux+cheat+sheet+resize'. This URL is presented to the user as a "tmux cheat sheet resize" within the document body. Additionally, the PDF exhibits characteristics of an SEO link farm, embedding numerous links to other PDFs, likely to manipulate search engine rankings and distribute malicious content. The presence of multiple benign Shopify links and one unknown link from 'levaf.definitivearts.net' suggests a broader distribution or redirection strategy.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=tmux+cheat+sheet+resize
    • http://levaf.definitivearts.net/uploads/1/3/2/6/132680981/fezujijuziwaxuz-jidajepisarira-fawij-xowitamenako.pdf
    • https://cdn.shopify.com/s/files/1/0437/5642/1269/files/29._7604_n_95._3698_w.pdf
    • https://cdn.shopify.com/s/files/1/0437/6346/6391/files/30185316679.pdf
    • https://cdn.shopify.com/s/files/1/0428/9894/8255/files/purufapabiwirobi.pdf
    • https://cdn.shopify.com/s/files/1/0431/8960/0414/files/87453073964.pdf
    • https://cdn.shopify.com/s/files/1/0432/8158/0200/files/wemodilogi.pdf
    • https://cdn.shopify.com/s/files/1/0428/1057/2967/files/alter_ego_4.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/kovogosiwe.pdf
    • https://cdn.shopify.com/s/files/1/0440/8089/0008/files/bowuperaxirazer.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005291.bin
707f413b3c863a1676f0fff60a20321f29fe7ee0c2e1a19ef2962c7c52f7bde8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5291 5076 bytes
font_01_sfnt_off000063b8.bin
4cc3883c3981f319b74e3bbb00929c617496a29e467bd1ea6a8b89c8078e4d6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63B8 10652 bytes
font_02_sfnt_off00008846.bin
1d58567f93ecd628bf014bd0841a08a19c5ebc5bef379569a2bedd04588a7f3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8846 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.