Malicious PDF — malware analysis report

Static analysis result for SHA-256 b08d1d830081af17…

MALICIOUS

PDF

59.6 KB Created: 2020-08-14 15:29:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff5ca164dde470f9ea57458c2fe0370e SHA-1: 5f832a25b5c5933387800592f95d8c3e47f13985 SHA-256: b08d1d830081af172d59522150ff55bdbc07289bbf5f8daa0ae53137ea5049c6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a known malicious domain, disguised with text related to "Kahoot trivia questions and answers". The PDF also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external resources, many of which are hosted on Shopify. The primary malicious URL identified is ttraff.ru, which is flagged as a malicious redirector. The document body itself is heavily obfuscated but contains the visible lure text and the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=kahoot+trivia+questions+and+answers
    • http://sanuw.wrinklecreative.com/uploads/1/3/2/8/132814930/sabojobuwufefov-damigadidukes-ximuruwabozaj-darerabawafero.pdf
    • http://files.stonegrooveband.co.uk/uploads/1/3/1/1/131164350/f587a0f.pdf
    • http://files.shoppilicarrera.com/uploads/1/3/1/3/131380042/6249771.pdf
    • http://files.lifewithsolae.com/uploads/1/3/0/8/130874457/7131175.pdf
    • http://files.discipleforchrist.org/uploads/1/3/0/7/130738676/f1053d40910b24.pdf
    • https://cdn.shopify.com/s/files/1/0432/1548/7133/files/91391263161.pdf
    • https://cdn.shopify.com/s/files/1/0432/6077/2515/files/84179527321.pdf
    • https://cdn.shopify.com/s/files/1/0438/5721/5648/files/allison_1000_transmission_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/8675/7536/files/bronchiolite_oblitrante.pdf
    • https://cdn.shopify.com/s/files/1/0432/8118/6971/files/9600577462.pdf
    • https://cdn.shopify.com/s/files/1/0430/9739/1261/files/duneromepivusaz.pdf
    • https://cdn.shopify.com/s/files/1/0433/9079/5941/files/gixevubuwiba.pdf
    • https://cdn.shopify.com/s/files/1/0435/6043/5871/files/kozadogidin.pdf
    • https://cdn.shopify.com/s/files/1/0432/6857/1296/files/gubinesujetuzijo.pdf
    • https://cdn.shopify.com/s/files/1/0438/9906/0392/files/syllable_stress_rules.pdf
    • https://cdn.shopify.com/s/files/1/0434/5279/2982/files/xogamasaxodafefogixokatod.pdf
    • https://cdn.shopify.com/s/files/1/0432/9255/7467/files/jidijanu.pdf
    • https://cdn.shopify.com/s/files/1/0433/1631/4277/files/91892395047.pdf
    • https://cdn.shopify.com/s/files/1/0434/2480/9122/files/textaufgaben_brche.pdf
    • https://cdn.shopify.com/s/files/1/0430/9119/8112/files/free_sample_business_plan_in_ethiopia.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0430/9119/8112/files/free_sample_business_plan

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009e36.bin
5d1350d76f6fc8beef5b21aa0300f128b2209cb6893ee4a5af1c9d6df9d8bd59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E36 5008 bytes
font_01_sfnt_off0000af4c.bin
2a68cd44d5fe7d7656229be2a15402c629cf1498a948f931fa7efd8c0b17073d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF4C 10476 bytes
font_02_sfnt_off0000d2d9.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD2D9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.