Malicious PDF — malware analysis report

Static analysis result for SHA-256 abf618aa472a01f6…

MALICIOUS

PDF

42.7 KB Created: 2020-09-01 00:56:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 22869db9bc711ebd933ed586c18363dc SHA-1: a0b63162f72a3c7be6304a8baa09a2ee5c51f1d9 SHA-256: abf618aa472a01f63f23c4e8e54ae0c414935f6a420353c3e2c6f04d55d001b4
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=aligarh+muslim+university+9th+admission+form'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, including one hosted on Shopify. The presence of a 'download button' lure further supports a phishing or social engineering attack pattern. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=aligarh+muslim+university+9th+admission+form
    • https://cdn.shopify.com/s/files/1/0438/9961/7448/files/71364506049.pdf
    • https://cdn.shopify.com/s/files/1/0439/9942/8766/files/devexpress_spreadsheet_column_width.pdf
    • https://cdn.shopify.com/s/files/1/0430/7664/9124/files/50019617577.pdf
    • https://cdn.shopify.com/s/files/1/0444/5346/2183/files/renago.pdf
    • https://cdn.shopify.com/s/files/1/0440/5483/9461/files/all_metal_melting_point_list.pdf
    • https://cdn.shopify.com/s/files/1/0427/9359/9132/files/c_format_specifiers.pdf
    • https://cdn.shopify.com/s/files/1/0443/0843/1004/files/caballo_de_troya_5_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0435/3648/2458/files/epilepsy_action_training.pdf
    • https://cdn.shopify.com/s/files/1/0427/7311/9143/files/lexidux.pdf
    • https://cdn.shopify.com/s/files/1/0429/6612/2662/files/la_cimbali_m39_dosatron_gt_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/3759/6575/files/61839485708.pdf
    • https://cdn.shopify.com/s/files/1/0463/1753/5397/files/rodugumagotexeke.pdf
    • https://cdn.shopify.com/s/files/1/0447/9988/5463/files/el_fenomeno_tumoral_dr_goiz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/042

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006616.bin
cbf8b25a45998e815b831b68bd60fde1b41b507ebf16c326e5d918b0a293d59c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6616 5628 bytes
font_01_sfnt_off0000791c.bin
37fb2f1456fb37d2e54664e4efc0595681d1539c3773289fc2b9d2202424f0fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x791C 10708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.