Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8c04e0b56d6e2f2…

MALICIOUS

PDF

46.8 KB Created: 2020-07-25 23:33:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4bfb96fc16328553aea78c45cb04ba8b SHA-1: f0e46b38db6610f0e4a30c041f0322a24320e19d SHA-256: a8c04e0b56d6e2f2b910a07853695b1b315594c42e885553e85d9e103bc9605b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, including one to a known malicious redirector at 'ttraff.ru'. The document body, though heavily obfuscated, appears to be a lure related to educational worksheets. The primary attack vector is likely a user clicking on the malicious link within the PDF, leading them to the redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=maths+decimals+worksheets+for+7th+grade
    • http://files.ravenssoccer.org/uploads/1/3/1/4/131407028/pijaxer.pdf
    • http://files.countrysideanimalclinictooele.com/uploads/1/3/1/3/131380868/newufutuje.pdf
    • http://files.bakeraudio.org/uploads/1/3/0/9/130968921/b5e85f32081aa0.pdf
    • https://cdn.shopify.com/s/files/1/0428/8475/9711/files/74173796746.pdf
    • https://cdn.shopify.com/s/files/1/0427/9002/7430/files/7608646187.pdf
    • https://cdn.shopify.com/s/files/1/0438/2969/0528/files/58160217563.pdf
    • https://cdn.shopify.com/s/files/1/0434/0501/7238/files/1548809910.pdf
    • https://cdn.shopify.com/s/files/1/0432/1237/4174/files/83062261228.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/1587610690.pdf
    • https://cdn.shopify.com/s/files/1/0441/2581/4936/files/momomin.pdf
    • https://cdn.shopify.com/s/files/1/0427/5824/2470/files/xizeselela.pdf
    • https://cdn.shopify.com/s/files/1/0434/7245/3797/files/sogubapipuwaxemitekenar.pdf
    • https://cdn.shopify.com/s/files/1/0431/9179/5875/files/33119388113.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0432/1237/4174/files/83062261228

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078ae.bin
56bbeb211278bc311a5a1b200100239dd4ccf5cae01d0b2fae53bc10a214cd0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78AE 5360 bytes
font_01_sfnt_off00008b08.bin
ac8ad2fcfea2c0db78cc1f0def2dc98eb36d33a3c060166dbf7f46e3a08011ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B08 10228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.