Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa8eba2c3dc2821f…

MALICIOUS

PDF

44.8 KB Created: 2020-08-24 18:45:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7538641727dcdedd2370f6e8a21de6a2 SHA-1: e6742283e09d74b95ff5a96c21631e2c0fbef05e SHA-256: aa8eba2c3dc2821f23dc1e06aa0bef6fd29dff8533a6d26e751b26a971eadaf6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a mass of external links, masquerading as relevant content, to redirect users to malicious infrastructure. The primary malicious URL identified is https://ttraff.ru/pify?keyword=azure+blueprint+vs+cloudformation. This technique is commonly used to distribute malware or phish for credentials by luring victims through seemingly legitimate content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=azure+blueprint+vs+cloudformation
    • http://dulisukuw.edcampatlanta.org/uploads/1/3/0/8/130874397/razolalinepa.pdf
    • https://cdn.shopify.com/s/files/1/0431/2032/8864/files/50695628636.pdf
    • https://cdn.shopify.com/s/files/1/0434/5495/5672/files/30959678089.pdf
    • https://cdn.shopify.com/s/files/1/0433/0297/7700/files/89491624162.pdf
    • https://cdn.shopify.com/s/files/1/0427/8000/0422/files/9444453215.pdf
    • https://cdn.shopify.com/s/files/1/0437/2509/5062/files/wenosuxusedikunoso.pdf
    • https://cdn.shopify.com/s/files/1/0431/9186/1412/files/55179547591.pdf
    • https://cdn.shopify.com/s/files/1/0437/6395/7909/files/hot_wheels_super_ultimate_garage_instructions.pdf
    • https://cdn.shopify.com/s/files/1/0432/8875/6374/files/22606686187.pdf
    • https://cdn.shopify.com/s/files/1/0435/6525/2771/files/african_queen_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0440/1784/4382/files/anything_something_nothing_everything_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0452/6155/3826/files/85756831574.pdf
    • https://cdn.shopify.com/s/files/1/0433/9813/5966/files/metuxubaxinafusaxizexo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007185.bin
9b31af3ce44128d52b6707d8dda4b55edceefd12691cbce82d019fdb348f1fac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7185 5540 bytes
font_01_sfnt_off00008442.bin
6f9c805e19cb7bcfe4a35c359533b3ee94a6ae10679556d94971482ab9a4098f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8442 10040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.