Malicious PDF — malware analysis report

Static analysis result for SHA-256 afca6e9439949690…

MALICIOUS

PDF

93.0 KB Created: 2020-08-20 23:31:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3e6a59744e89095b4c7b2bb41ca9f369 SHA-1: b31381892d908e579a1262741208cd1171dcb132 SHA-256: afca6e9439949690a0e4ff8e17daf8e4599c72b9fa02b451232ecaa595657c98
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.ru'. The document body, though heavily obfuscated, includes the same URL and a reference to 'biodata form meaning in telugu', suggesting a lure. The PDF also exhibits a link farm behavior, with numerous external links, many pointing to Shopify domains, likely for SEO manipulation or to obscure the malicious redirector. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=biodata+form+meaning+in+telugu
    • http://files.devangaloka.com/uploads/1/3/1/6/131606118/5218812.pdf
    • http://files.susanarondon.com/uploads/1/3/1/4/131437276/17a9e92.pdf
    • http://lilixejat.douglaspiercefilm.com/uploads/1/3/1/6/131606347/zebabosigara-zaxen.pdf
    • http://files.earthwarriorsfestival.org/uploads/1/3/0/7/130740211/9285411.pdf
    • https://cdn.shopify.com/s/files/1/0429/8778/2297/files/perdon_chiquis_rivera.pdf
    • https://cdn.shopify.com/s/files/1/0433/9014/0581/files/zovep.pdf
    • https://cdn.shopify.com/s/files/1/0428/2672/7580/files/barefoot_investor_2020_audible.pdf
    • https://cdn.shopify.com/s/files/1/0429/6481/1927/files/elementary_geometry_for_college_students.pdf
    • https://cdn.shopify.com/s/files/1/0429/0281/4876/files/definitions_of_history_by_different_authors.pdf
    • https://cdn.shopify.com/s/files/1/0429/1490/6275/files/rovowigujiwusegegot.pdf
    • https://cdn.shopify.com/s/files/1/0437/9820/0481/files/61159640761.pdf
    • https://cdn.shopify.com/s/files/1/0437/3777/6289/files/human_body_systems_textbook.pdf
    • https://cdn.shopify.com/s/files/1/0433/3099/4326/files/dezafarulowemotiwuko.pdf
    • https://cdn.shopify.com/s/files/1/0433/3764/6245/files/10412431759.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off0001210d.bin
cf01bc0f4988446dccedefc74b2e18f75f5a4db52223d49ae4d5ad8e3f5c05f1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1210D 18176 bytes
font_00_sfnt_off00006ef1.bin
40ed7a59e93a39a2357a6714e82246a7d8382393c541a7d084f33d2bd6126fa4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EF1 5588 bytes
font_01_sfnt_off00008281.bin
ef152952b55a00000d4d6e1f4b1828fa3e423f13a2ad231b81fac2308c23dd7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8281 5096 bytes
font_02_sfnt_off000093bd.bin
c206ac4eca120f096112d408dff6b33a2f721090936d80486df636e1cd240fde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93BD 2656 bytes
font_03_sfnt_off00009ec1.bin
d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9EC1 3720 bytes
font_04_sfnt_off0000aa22.bin
3702365b3034b9d7945da23b991b5e2ac3f8bb06d1ba3be7e5ba1b5d8dd48c9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA22 2328 bytes
font_05_sfnt_off0000b4da.bin
9a4e9969aa2d8c23b6a9475a8eea51ef1a8a2f45d98f611bda37589bd194c8c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB4DA 22960 bytes
font_06_sfnt_off0000e835.bin
eca62b72654736461a635ba366d09d794777fd95c58152d2b251becdfce657e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE835 6640 bytes
font_07_sfnt_off0000f9d2.bin
ebd7a73d6a0a09292a79e726cfa0c3f05ffbc5a8b3fcd7cb740a033e836fd4bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9D2 11608 bytes
font_09_sfnt_off00013dda.bin
e245142c558da01b4f3e913504f8d3d26956bc7bd29557ec3b43d4f8e66c967d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13DDA 12172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.