Malicious PDF — malware analysis report

Static analysis result for SHA-256 a72a7d4f4a9cc768…

MALICIOUS

PDF

44.0 KB Created: 2020-07-23 09:02:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 71fe0103102a837cee3577712e815e50 SHA-1: 1c08d339679b9c27ce86f284917674fa63e15d4c SHA-256: a72a7d4f4a9cc768e21de7aac26bb796f8f14fce103b0b9fe89d02432eafe865
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, embedding numerous external links. One critical heuristic identifies a link to a known malicious redirector at 'https://ttraff.ru/pify?keyword=block+ads+android+dns'. Another heuristic flags a mass of external PDF links, with the first identified as 'https://cdn.shopify.com/s/files/1/0430/8205/5833/files/tixexiwad.pdf'. These findings suggest the document's primary purpose is to lure users to malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=block+ads+android+dns
    • http://files.college-boundplayerportal.com/uploads/1/3/1/6/131637889/godamowodasumudowo.pdf
    • http://files.blingattiphanys.com/uploads/1/3/1/1/131163846/8613768.pdf
    • http://files.kgreggartist.com/uploads/1/3/0/7/130776769/nadevaze.pdf
    • http://files.perkysicecream.com/uploads/1/3/2/6/132695321/xuxatitosa_gogofozur.pdf
    • http://files.college-boundplayerportal.com/uploads/1/3/1/6/131637889/godamowodasumudowo
    • https://cdn.shopify.com/s/files/1/0430/8205/5833/files/tixexiwad.pdf
    • https://cdn.shopify.com/s/files/1/0430/7976/2073/files/tumajemufetevebazas.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/walezilufotalenuzodumis.pdf
    • https://cdn.shopify.com/s/files/1/0434/9073/8328/files/xiwine.pdf
    • https://cdn.shopify.com/s/files/1/0432/9255/7462/files/18283622163.pdf
    • https://cdn.shopify.com/s/files/1/0436/4537/0521/files/25888842461.pdf
    • https://cdn.shopify.com/s/files/1/0431/3382/9277/files/92351028246.pdf
    • https://cdn.shopify.com/s/files/1/0431/3733/5464/files/gufuzezozevuw.pdf
    • https://cdn.shopify.com/s/files/1/0432/9324/5590/files/400158793.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wirokole.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007046.bin
34e84e98d6b85f24da952178d12acabb0178a78f5d9d02a8d147e57c0cef315c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7046 4636 bytes
font_01_sfnt_off00007ff7.bin
ce4a80bb33224647fc73fae91c526ed274a10c759b0474c2aefde41081e9f825		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FF7 10328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.