Malicious PDF — malware analysis report

Static analysis result for SHA-256 9797469c3dececf2…

MALICIOUS

PDF

39.5 KB Created: 2020-08-15 16:03:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ba3d70c900ddcb25cf3c4ff8b17fdc8 SHA-1: feda5d4e14a1fab1453a82b84dea98f3d6aa205b SHA-256: 9797469c3dececf2f3663b5a4a337d9ba7ce30464c7021a40a93306c19e47614
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, directing users to ttraff.ru. It also exhibits characteristics of a link farm, with numerous embedded links, many pointing to Shopify domains. The document body, though heavily obfuscated, contains the malicious URL and other embedded URLs, suggesting an attempt to disguise malicious activity within a large number of links. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=arcmap%20data%20driven%20pages%20export%20to%20pdf
    • http://files.rutieborthwick.com/uploads/1/3/0/7/130738799/860937.pdf
    • http://lapabasag.courageandconnection.com/uploads/1/3/1/8/131856476/tejesez_danenatibiz_salunenitarawu.pdf
    • http://files.another-bright-idea.com/uploads/1/3/0/8/130874238/179d56fc5c0f.pdf
    • https://cdn.shopify.com/s/files/1/0439/0027/2792/files/3311715380.pdf
    • https://cdn.shopify.com/s/files/1/0430/0128/2711/files/rinosinusitis_tratamiento.pdf
    • https://cdn.shopify.com/s/files/1/0439/2747/0235/files/14589145869.pdf
    • https://cdn.shopify.com/s/files/1/0429/6101/0842/files/97619629766.pdf
    • https://cdn.shopify.com/s/files/1/0428/8148/2919/files/79998341036.pdf
    • https://cdn.shopify.com/s/files/1/0428/7679/7081/files/beauty_and_the_beast_piano_accompaniment.pdf
    • https://cdn.shopify.com/s/files/1/0430/3018/4098/files/lubelubetunaxabifuwinoji.pdf
    • https://cdn.shopify.com/s/files/1/0428/8934/7228/files/11637792942.pdf
    • https://cdn.shopify.com/s/files/1/0428/7270/1095/files/kavebidoveja.pdf
    • https://cdn.shopify.com/s/files/1/0433/9918/4551/files/51512792677.pdf
    • https://cdn.shopify.com/s/files/1/0435/4139/7656/files/80604726631.pdf
    • https://cdn.shopify.com/s/files/1/0435/2658/6532/files/37051301244.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c72.bin
f06cd8c375d33693fa25f606570e7bef3a9d0e96f9fac3c6e7cb1ef2641fdcc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C72 5560 bytes
font_01_sfnt_off00006f4a.bin
bcd85005f29758c0e530854cc260fa3087bc7d46ffca405feada0ee0591955ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F4A 9920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.