Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4377d709d18de53…

MALICIOUS

PDF

53.2 KB Created: 2020-07-31 13:47:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c34ab0d8a59f6b569e924a29c70bb87 SHA-1: cf9b02e0d6061e6963057865498c9d8be1a22b33 SHA-256: a4377d709d18de53b7f267e6126d829444009b78e5cf6880cab0480f135cc733
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating it's a malicious redirector link, pointing to a URL that includes 'admission circular' in its query parameters. This suggests a phishing lure. The file also contains a large number of embedded URLs, many hosted on cdn.shopify.com, which is indicative of a link farm used to obscure the final malicious destination. The primary malicious URL is ttraff.ru, which is known for redirecting to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bsmrmu+admission+circular+2020+19+pdf
    • http://files.flamingwoodwinds.com/uploads/1/3/1/8/131871569/kagisofosob-jadojun-dapix.pdf
    • http://files.masofrancesco.com/uploads/1/3/0/7/130775759/5dc5bce9637d.pdf
    • http://files.sheilabanks.com/uploads/1/3/1/8/131856200/9963369.pdf
    • http://files.derrickgriffey.com/uploads/1/3/0/8/130873732/1462424.pdf
    • http://files.derrickgriffey.com/uploads/1/3/0/8/130873732/1462424.p
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/sopituwoxo.pdf
    • https://cdn.shopify.com/s/files/1/0431/4578/9600/files/84838955962.pdf
    • https://cdn.shopify.com/s/files/1/0432/5559/5172/files/44710693311.pdf
    • https://cdn.shopify.com/s/files/1/0430/4253/7629/files/82035452983.pdf
    • https://cdn.shopify.com/s/files/1/0430/7232/3737/files/vitenatuvorizi.pdf
    • https://cdn.shopify.com/s/files/1/0430/4610/9345/files/35875969617.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/1587610690.pdf
    • https://cdn.shopify.com/s/files/1/0430/7622/3129/files/1487002439.pdf
    • https://cdn.shopify.com/s/files/1/0437/9472/7074/files/2052765173.pdf
    • https://cdn.shopify.com/s/files/1/0431/3445/1874/files/16343010531.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b91.bin
08bfeab08d97d81e9fc2d2ab061c20a828183b8fbe045d806d9f8be1352e8315		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B91 5516 bytes
font_01_sfnt_off00007e22.bin
be79e83144337adc39b4058ad5b50f557753ad03c9bc2e0c408df82707bfd7aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E22 10060 bytes
font_02_sfnt_off00009ed8.bin
0295404550b2e93731ac3f1accc86444161d92aaba702362b1f8f4eab7b68a71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9ED8 13044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.