Malicious PDF — malware analysis report

Static analysis result for SHA-256 a58bdf9db330d2f3…

MALICIOUS

PDF

46.7 KB Created: 2020-08-20 05:39:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ca86268ad3e4f87ab1739452ec4fa60 SHA-1: d2fdcdc02d3d4b7dd4ebcefb0016e3eb128309c6 SHA-256: a58bdf9db330d2f304e661030ee64c50ebb4fadcc50ac72610c2839b6bd0362a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1566.002 Phishing: Spearphishing Attachment

The PDF contains a lure instructing the user to enable macros or editing, a common technique for malware delivery. It also features a mass external PDF link farm, with the primary link pointing to a known malicious redirector. The redirector URL is 'https://ttraff.ru/pify?keyword=confluence+server+documentation+template', which likely leads to further malicious content. The presence of numerous links, including one to a potentially malicious redirector, indicates a phishing or social engineering attack.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=confluence+server+documentation+template
    • http://fixanik.alizahlathrop.com/uploads/1/3/1/4/131438216/4488425.pdf
    • http://files.franklinhsband.net/uploads/1/3/1/8/131857112/luraxi.pdf
    • https://cdn.shopify.com/s/files/1/0430/8343/2096/files/vilorujemibavelozogana.pdf
    • https://cdn.shopify.com/s/files/1/0432/2790/6206/files/open_exe_on_mac.pdf
    • https://cdn.shopify.com/s/files/1/0434/3971/8562/files/college_algebra_and_trigonometry_3rd_edition.pdf
    • https://cdn.shopify.com/s/files/1/0432/7030/7995/files/92439572606.pdf
    • https://cdn.shopify.com/s/files/1/0459/9942/3647/files/86059569189.pdf
    • https://cdn.shopify.com/s/files/1/0430/3169/1421/files/streamline_english_directions_workbook.pdf
    • https://cdn.shopify.com/s/files/1/0445/8404/2655/files/16100951945.pdf
    • https://cdn.shopify.com/s/files/1/0431/0640/2453/files/pibutepivolejirug.pdf
    • https://cdn.shopify.com/s/files/1/0429/4826/4089/files/jixen.pdf
    • https://cdn.shopify.com/s/files/1/0432/3147/7922/files/javoxanivijab.pdf
    • https://cdn.shopify.com/s/files/1/0428/2223/8374/files/dadimikitegifiwexidokani.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079c8.bin
46708b8f8dbe79050610ca98cd8b4f8c9eed0645a53909f69e24e0132e24567d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79C8 5264 bytes
font_01_sfnt_off00008b9b.bin
4400c8290469583f72e420771749312053c07f47d2b5776c33dae98b6c20b675		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B9B 10132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.