Malicious PDF — malware analysis report

Static analysis result for SHA-256 9872237f021a978e…

MALICIOUS

PDF

56.3 KB Created: 2020-08-23 04:29:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78a64fc50ea98cc958a7b2a478bad5d5 SHA-1: 29cd5de378f8d46d7dc7013c6a6ba261b972e33d SHA-256: 9872237f021a978e01ad76f90796935bf1991895d3a363719c7af130a7572e12
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous embedded links, with a critical heuristic identifying it as a link farm. One of the primary links, 'https://ttraff.ru/pify?keyword=infographics+free+templates+powerpoint', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this same URL, suggesting the intent is to redirect users to potentially malicious content under the guise of offering free templates. No scripts were extracted, limiting the analysis of further malicious behavior.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=infographics+free+templates+powerpoint
    • http://numuwulir.information4felons.com/uploads/1/3/2/6/132695601/sexulotarawu.pdf
    • https://cdn.shopify.com/s/files/1/0432/5857/7064/files/numanavodasomutigukoge.pdf
    • https://cdn.shopify.com/s/files/1/0438/3349/1606/files/write_name_on_cake_birthday_app.pdf
    • https://cdn.shopify.com/s/files/1/0432/0791/7729/files/el_arbitraje_internacional_cuestiones_de_actualidad.pdf
    • https://cdn.shopify.com/s/files/1/0427/3097/9495/files/sawarodilexil.pdf
    • https://cdn.shopify.com/s/files/1/0432/6516/3422/files/fubiliti.pdf
    • https://cdn.shopify.com/s/files/1/0433/3305/8715/files/adjective_worksheets_for_grade_5.pdf
    • https://cdn.shopify.com/s/files/1/0431/4018/6268/files/skinelement_anti-_aging_cream.pdf
    • https://cdn.shopify.com/s/files/1/0427/7580/6119/files/36966909262.pdf
    • https://cdn.shopify.com/s/files/1/0435/2878/1973/files/3rd_grade_staar_math_practice.pdf
    • https://cdn.shopify.com/s/files/1/0435/8130/9085/files/xizijebuxug.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000981d.bin
5d5d51ec3f09aefba88405f7ae3a0b57b44f7b7667ad43d9405e8ced7306175f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x981D 5456 bytes
font_01_sfnt_off0000aa93.bin
63f320794821f74d8f2b8a574e2c3c7e8448f3c218695e582aa270e95a4c48cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA93 12916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.