Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d98ea83997c2d3a…

MALICIOUS

PDF

35.6 KB Created: 2020-08-11 15:08:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7cf9fbdc0f2ef0cd113c6318fb833ccd SHA-1: 17fcc1fc6c193823f819b61f82683a212475be3a SHA-256: 9d98ea83997c2d3a743a13ae7256a3d962bf4e98b4d3fd34b90f43e59c7a853f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a common tactic for SEO spam and phishing. One critical heuristic identified a link to a known malicious redirector, ttraff.ru, which is disguised as a 'pelonis electric heater user manual'. The presence of a large number of external PDF links further supports the SEO spam interpretation. No scripts were extracted, but the primary attack vector appears to be user interaction with the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=pelonis%20electric%20heater%20user%20manual
    • http://files.joanderssonstudios.com/uploads/1/3/2/6/132681201/5d6e16.pdf
    • http://files.lensdefender.com/uploads/1/3/0/9/130969809/jewuze-joxotaluvovuk-gexevul-zemunuligotijap.pdf
    • http://files.doylerealtors.com/uploads/1/3/0/7/130739039/roboni.pdf
    • https://cdn.shopify.com/s/files/1/0437/0992/3493/files/rpg_maker_mv_monster_sprites.pdf
    • https://cdn.shopify.com/s/files/1/0431/1928/0288/files/93683041866.pdf
    • https://cdn.shopify.com/s/files/1/0440/4235/4853/files/76387723752.pdf
    • https://cdn.shopify.com/s/files/1/0434/5459/5224/files/34924866231.pdf
    • https://cdn.shopify.com/s/files/1/0434/5063/0296/files/luduniwufibagenedimo.pdf
    • https://cdn.shopify.com/s/files/1/0429/8381/7375/files/75841116098.pdf
    • https://cdn.shopify.com/s/files/1/0432/4645/2899/files/zipedefip.pdf
    • https://cdn.shopify.com/s/files/1/0446/9863/2346/files/siselirigiketajela.pdf
    • https://cdn.shopify.com/s/files/1/0434/0026/5878/files/mozopurovifuxobus.pdf
    • https://cdn.shopify.com/s/files/1/0432/1073/5780/files/complements_in_binary_number_system.pdf
    • https://cdn.shopify.com/s/files/1/0432/6581/8789/files/inspect_element_cookie_clicker.pdf
    • https://cdn.shopify.com/s/files/1/0448/5795/0370/files/toyota_motor_manufacturing_usa_inc_case_study.pdf
    • https://cdn.shopify.com/s/files/1/0432/7954/8574/files/woxele.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e09.bin
bcecbb33bce62e83b90691f29596207d19329a9edc695a74dc87c76ce10f7b8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E09 5040 bytes
font_01_sfnt_off00005ef7.bin
d42471e78c942e6e92831f96f9f7c52908da8baf3cfbfb74c591462c91d417ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EF7 10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.