Malicious PDF — malware analysis report

Static analysis result for SHA-256 95faebcd4eecfb1a…

MALICIOUS

PDF

82.9 KB Created: 2020-08-05 10:44:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a94faf225edc8d2e52e4385ee535913c SHA-1: 763ae1a9dca4937901233919740db4ec5005a891 SHA-256: 95faebcd4eecfb1a6e6239e4d24e4b0689c58de3ff7ec3d8691b5acbd660a94b
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple heuristics indicating malicious redirection and a link farm. Specifically, it links to 'ttraff.ru', a known malicious redirector, and hosts a large number of PDFs on Shopify, suggesting a link farm for SEO manipulation or traffic generation. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/pify?keyword=bssc+inter+level+advertisement+pdf', reinforcing the malicious redirection finding. The presence of a 'download button' heuristic further supports a lure-based attack pattern.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bssc+inter+level+advertisement+pdf
    • http://files.lindalgraham.com/uploads/1/3/1/4/131455283/7d86161771d526.pdf
    • http://files.silvercloudexpress.com/uploads/1/3/0/8/130814633/4984068.pdf
    • http://files.jessyceleste.com/uploads/1/3/0/8/130813378/vesaxixiko_rakogiwile.pdf
    • http://files.amorekeepsakesuk.com/uploads/1/3/0/7/130739776/8033648.pdf
    • https://cdn.shopify.com/s/files/1/0432/8495/5300/files/nakodadululapevupove.pdf
    • https://cdn.shopify.com/s/files/1/0437/1123/4199/files/babaragiwusu.pdf
    • https://cdn.shopify.com/s/files/1/0431/4356/1376/files/9908106395.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sarozasupevukofapunaxovu.pdf
    • https://cdn.shopify.com/s/files/1/0432/3521/3479/files/fodisirozomazipudezug.pdf
    • https://cdn.shopify.com/s/files/1/0430/5197/4818/files/beomaster_3000_manual.pdf
    • https://cdn.shopify.com/s/files/1/0434/2143/4023/files/nejimimotopulejofonaxisuw.pdf
    • https://cdn.shopify.com/s/files/1/0430/3667/2162/files/77040358895.pdf
    • https://cdn.shopify.com/s/files/1/0431/5657/0266/files/biological_science_freeman_7th_edition_reddit.pdf
    • https://cdn.shopify.com/s/files/1/0430/8641/3985/files/sivupemawanujolujixo.pdf
    • https://cdn.shopify.com/s/files/1/0430/3601/6802/files/carte_du_monde.pdf
    • https://cdn.shopify.com/s/files/1/0436/9930/6649/files/multiplying_and_dividing_algebraic_expressions_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0433/1782/1605/files/lifunijoba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bafc.bin
a73640d01175f8b3fd0ae305ad6155816f1ea7872ddc0215a05af4cb58a1cdf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBAFC 5088 bytes
font_01_sfnt_off0000cc2a.bin
a7c194c348f4bc26aad06ae1fa1eadf76503a3aca856ff80314c3d87a816eea9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC2A 3720 bytes
font_02_sfnt_off0000d78a.bin
edde95e3edda79f820f60e667b086f80f3c1a0dff798f9c712b0a68d23d6877d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD78A 15180 bytes
font_03_sfnt_off00010634.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10634 4324 bytes
font_04_sfnt_off00011435.bin
7566bf168f53981370ba0f28746dfe85c3b39dc093f0585d120aa88ac8969ddb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11435 12396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.