Malicious PDF — malware analysis report

Static analysis result for SHA-256 a27e4abebeb32ed4…

MALICIOUS

PDF

40.8 KB Created: 2020-08-17 02:20:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64aea04538475470add2270f3617196a SHA-1: cbf01728b49b311db58c37ff4dcc6714ef16be18 SHA-256: a27e4abebeb32ed417c12e9b863afd7d3bda4048b0891f2293a20f09db1d3ecd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged for containing a malicious redirector link and a large number of external links, suggesting a link farm or SEO manipulation tactic. The primary malicious URL identified is https://ttraff.ru/pify?keyword=nutritional+information+skimmed+milk+powder. While the document body contains garbled text, the presence of numerous links, including one pointing to known malicious infrastructure, strongly indicates a malicious intent to redirect users. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=nutritional+information+skimmed+milk+powder
    • http://pepom.margaretglaeser.com/uploads/1/3/0/7/130740444/af3b304cb5.pdf
    • http://falusurim.lifeastimothy.com/uploads/1/3/1/6/131636725/mexozelaw.pdf
    • http://files.takeaway.com.sg/uploads/1/3/1/6/131606268/rotaluvekifaku.pdf
    • https://cdn.shopify.com/s/files/1/0432/7384/6952/files/10810017142.pdf
    • https://cdn.shopify.com/s/files/1/0437/1939/3448/files/heograpikal_na_varayti_ng_wika.pdf
    • https://cdn.shopify.com/s/files/1/0431/2511/2988/files/designing_data_intensive_applications_kleppmann_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/0077/4308/files/78535474761.pdf
    • https://cdn.shopify.com/s/files/1/0434/7727/0692/files/bipenebidube.pdf
    • https://cdn.shopify.com/s/files/1/0434/1458/5509/files/catholic_cursive_handwriting_worksheets_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/5179/5107/files/pdf._js_blob_url.pdf
    • https://cdn.shopify.com/s/files/1/0436/8692/0347/files/91956221233.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000566f.bin
cb485e15a187bf9da9bff419c60fcc280430c48d6c312c24be844f8d1fe0a7cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x566F 5312 bytes
font_01_sfnt_off00006884.bin
33271e9ef6525ec57fbda1157489d11bf7a7d4e568f874e6f67509fe3e9c5fb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6884 14892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.