Malicious PDF — malware analysis report

Static analysis result for SHA-256 b11d1e78b1f40b2b…

MALICIOUS

PDF

35.9 KB Created: 2020-08-20 08:12:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0bdd9fd20f777de8d29b4845d85ea54e SHA-1: 7b8851e7fd8ec25083326db111f68bfc924722af SHA-256: b11d1e78b1f40b2b1725dcfb01e1450475c1c7f7ef91fd267e3f4ea5a818b51b
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to a known malicious domain, ttraff.ru. This domain is part of a link farm and likely serves as a redirector to further malicious content. The document body, though heavily obfuscated, contains text related to 'Tom and Jerry cartoon movie mp4' and the malicious URL, suggesting a lure to entice users to click the link. The presence of numerous external PDF links further supports the link farm heuristic.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=tom+and+jerry+cartoon+movie++mp4
    • http://files.littledownhamchurch.org/uploads/1/3/1/3/131384407/7335428dde5dab.pdf
    • http://files.thejourneyisourdestination.com/uploads/1/3/0/7/130776075/6609944.pdf
    • https://cdn.shopify.com/s/files/1/0435/3176/3864/files/54948236236.pdf
    • https://cdn.shopify.com/s/files/1/0430/3051/1779/files/lipivinapuzi.pdf
    • https://cdn.shopify.com/s/files/1/0429/0428/9439/files/52092019978.pdf
    • https://cdn.shopify.com/s/files/1/0430/9162/4097/files/rixosu.pdf
    • https://cdn.shopify.com/s/files/1/0439/2691/3179/files/discord_word_commands.pdf
    • https://cdn.shopify.com/s/files/1/0437/8856/6680/files/56410074367.pdf
    • https://cdn.shopify.com/s/files/1/0434/2356/3925/files/25658262487.pdf
    • https://cdn.shopify.com/s/files/1/0430/1671/6437/files/54262477939.pdf
    • https://cdn.shopify.com/s/files/1/0430/3824/5017/files/pefuzexudomadisikekuxot.pdf
    • https://cdn.shopify.com/s/files/1/0431/4556/0219/files/34692047500.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/gokudesipujanurepariwowu.pdf
    • https://cdn.shopify.com/s/files/1/0430/8520/1561/files/81333864388.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004fc8.bin
f03d5757628513a7646dc7da6248720a6234ab8953465671c5b3038be6704694		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4FC8 5284 bytes
font_01_sfnt_off000061bd.bin
1639e5482eb56f1ea2b5872259293f191bfee312160a685df6bfb2516952cd66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61BD 9788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.