Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab6943dbce788114…

MALICIOUS

PDF

41.0 KB Created: 2020-08-20 18:14:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dd7d5c9788bfb7b08fd8b8b443f1839c SHA-1: 93c774e8bf9c7172db4edef35ffd2970f48e350c SHA-256: ab6943dbce788114e474fd61a9a526e3ae17b6780914ebf65548119b490a0c92
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a lure for a job application, which is a common tactic for phishing and scam campaigns. It embeds multiple links, with one pointing to a known malicious redirector (ttraff.ru). The document body, though heavily obfuscated, also contains this URL and other links hosted on Shopify, some of which are benign. The presence of a callback phishing lure further supports the malicious intent.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=job+application+letter+for+accountant+assistant+pdf
    • http://winat.kellysserenityhouseinc.com/uploads/1/3/2/6/132680981/df7829f43.pdf
    • http://mewis.t9corp.com/uploads/1/3/0/7/130775565/0c459.pdf
    • https://cdn.shopify.com/s/files/1/0438/0780/1504/files/thinking_out_loud_chords.pdf
    • https://cdn.shopify.com/s/files/1/0431/9110/7752/files/zunotakub.pdf
    • https://cdn.shopify.com/s/files/1/0434/4751/7349/files/sonda_vesical_suprapubica.pdf
    • https://cdn.shopify.com/s/files/1/0434/0541/0471/files/73051910235.pdf
    • https://cdn.shopify.com/s/files/1/0436/0614/7230/files/gubagutizuselijosisixezas.pdf
    • https://cdn.shopify.com/s/files/1/0434/4214/3397/files/animer_une_session_de_formation.pdf
    • https://cdn.shopify.com/s/files/1/0431/7482/2044/files/2459904718.pdf
    • https://cdn.shopify.com/s/files/1/0431/8475/0741/files/91130662909.pdf
    • https://cdn.shopify.com/s/files/1/0432/0083/9842/files/99511619343.pdf
    • https://cdn.shopify.com/s/files/1/0430/3123/2674/files/rufifubuzelakitew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006134.bin
bbec623db2af83db702e8dde5bdfb95e12664d7e877a0fee316e0fce22cb52f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6134 5276 bytes
font_01_sfnt_off00007325.bin
c65d0a277412888b1bcfb6683d1c342cdb10833b2ea41f4d9124015db7f87894		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7325 10472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.