Malicious PDF — malware analysis report

Static analysis result for SHA-256 af569aacc3cce8d3…

MALICIOUS

PDF

53.2 KB Created: 2020-08-05 18:05:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1a21cc0a38f043ec74ad64c6a6916cca SHA-1: accef7109c26db257b61f2f0bdcbe5a7a678ac10 SHA-256: af569aacc3cce8d38ed293c7c5adbfbd01b8ccda792ff92abc32bdecf69e3818
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, including one pointing to a known malicious redirector. The heuristic 'SE_PAYMENT_REDIRECT_LURE' indicates the document content is designed to trick users into believing there are new or changed bank instructions. The presence of a visual download button further supports a malicious workflow. The primary malicious URL identified is https://ttraff.ru/wb?keyword=can%20you%20combine%20pdfs%20in%20google%20drive.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=can%20you%20combine%20pdfs%20in%20google%20drive
    • http://files.chelseyfitfactory.com/uploads/1/3/0/7/130775871/daruv-lagarikafoxure-nugogasas-nepipi.pdf
    • http://files.katthenomad.com/uploads/1/3/1/4/131437172/nelomamusiwikizu.pdf
    • http://files.ccjustice.net/uploads/1/3/0/8/130813616/6ba392ad.pdf
    • http://files.thrivedirecthealthcare.com/uploads/1/3/0/7/130738708/4ed1940af72aab0.pdf
    • http://pemonu.talismanhousepublishers.com/uploads/1/3/1/4/131407406/pufukufip.pdf
    • https://cdn.shopify.com/s/files/1/0431/5021/3274/files/61515272779.pdf
    • https://cdn.shopify.com/s/files/1/0431/7990/1085/files/98439115111.pdf
    • https://cdn.shopify.com/s/files/1/0431/0401/0389/files/gemowigibotuxosenakil.pdf
    • https://cdn.shopify.com/s/files/1/0429/4819/8556/files/vakeginakobofudodegiso.pdf
    • https://cdn.shopify.com/s/files/1/0435/3196/0474/files/89240741455.pdf
    • https://cdn.shopify.com/s/files/1/0432/2571/0750/files/biceps_tendonitis_home_exercise_program.pdf
    • https://cdn.shopify.com/s/files/1/0432/5031/9528/files/rasodaluzejusizodipigodi.pdf
    • https://cdn.shopify.com/s/files/1/0431/5198/2754/files/fikazil.pdf
    • https://cdn.shopify.com/s/files/1/0431/5263/8116/files/doxol.pdf
    • https://cdn.shopify.com/s/files/1/0435/1872/2216/files/facebook_group_photo_size.pdf
    • https://cdn.shopify.com/s/files/1/0430/0016/8597/files/fallout_new_vegas_overhaul_mods.pdf
    • https://cdn.shopify.com/s/files/1/0437/5085/0709/files/70951509810.pdf
    • https://cdn.shopify.com/s/files/1/0428/7247/1718/files/sixinujunoloduxegik.pdf
    • https://cdn.shopify.com/s/files/1/0434/2887/2359/files/xetodigopomadazogatudivet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0428/724

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d2d.bin
da062d1f70c45ec842d437f3b113639dc4315406737d6b6efb7085cbe43f26bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D2D 5600 bytes
font_01_sfnt_off0000802a.bin
a972d5528efc1ca80cdebcf52188068c94bafe3f5da66c6f9ec0aec0eef3f572		 pdf-font-stream PDF embedded font (sfnt) at offset 0x802A 10156 bytes
font_02_sfnt_off0000a322.bin
d3b441d6f6f6ae982b5d7d88b436777b0d9264f99352e3b4b68b574cd6c4fe32		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA322 16364 bytes
font_03_sfnt_off0000b8f7.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB8F7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.