Malicious PDF — malware analysis report

Static analysis result for SHA-256 982b145d666ff201…

MALICIOUS

PDF

85.7 KB Created: 2020-08-08 01:28:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bd503d0d0d5e7e699dc4a65793bf9c8 SHA-1: 9bd2ac38be794baa71523c3e61cbf25ffdb82a1e SHA-256: 982b145d666ff2018f34cf939c94be2ee458213103fa45bf81da9dd3765ee276
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=reading+comprehension+for+esl+students+pdf'. This indicates the document's primary purpose is to redirect users to a potentially harmful site. The document body, though heavily obfuscated, contains the same URL, reinforcing the malicious intent. The file also exhibits characteristics of a link farm, with numerous embedded URLs, further supporting the redirection attack pattern.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=reading+comprehension+for+esl+students+pdf
    • http://files.moorishculturalbizarre.com/uploads/1/3/0/7/130740049/mujunogo.pdf
    • http://files.nikkiarnell.net/uploads/1/3/2/6/132681910/sewuwozodudovu_sikuz_najetivima.pdf
    • http://files.freezerlink.com/uploads/1/3/0/8/130814288/6335778.pdf
    • https://cdn.shopify.com/s/files/1/0431/2819/3184/files/jisebow.pdf
    • https://cdn.shopify.com/s/files/1/0433/0956/4068/files/drudge_report_rss_feed.pdf
    • https://cdn.shopify.com/s/files/1/0431/3264/9636/files/38732486703.pdf
    • https://cdn.shopify.com/s/files/1/0433/0497/6548/files/susebivuvakekuzomanufixed.pdf
    • https://cdn.shopify.com/s/files/1/0429/2742/3654/files/69307802376.pdf
    • https://cdn.shopify.com/s/files/1/0429/1470/9663/files/37675906083.pdf
    • https://cdn.shopify.com/s/files/1/0432/7135/6582/files/sql_join_multiple_tables_with_conditions.pdf
    • https://cdn.shopify.com/s/files/1/0430/4420/8797/files/40563848860.pdf
    • https://cdn.shopify.com/s/files/1/0429/7228/3033/files/99709871328.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/93366398369.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/2128194791.pdf
    • https://cdn.shopify.com/s/files/1/0433/6749/7880/files/tovixutup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001128e.bin
536ab808ce9bf8c8f617e3ae2581d6932e361964eb667753c51cc375af1a6987		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1128E 5576 bytes
font_01_sfnt_off00012567.bin
4ded2f423bc1a7895f2cac36f606af82e848df1c29dceb663b21d4621d6a7631		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12567 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.