Malicious PDF — malware analysis report

Static analysis result for SHA-256 b25511b77b743994…

MALICIOUS

PDF

39.6 KB Created: 2020-07-31 19:32:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43defa563149a0962d13db1f950e16e6 SHA-1: 711da301f53523b6c70ae1fecad2a38a9484b565 SHA-256: b25511b77b743994d25acd139a1375bc14aca38cfd229544b31375c9d7530afd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on Shopify. One critical heuristic firing indicates a malicious redirector link to 'ttraff.ru', which is likely used to obscure the final malicious destination. The document body, though partially corrupted, contains text related to an 'awning installation manual', suggesting a lure to disguise the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=outsunny%20awning%20installation%20manual
    • http://files.nexusopx.com/uploads/1/3/0/8/130814393/e103fba2965.pdf
    • http://files.thepuzzleleaguedance.com/uploads/1/3/0/7/130740211/fuwovopojup.pdf
    • http://files.sig10-cleaning-decontamination.net/uploads/1/3/1/6/131606092/xebonitibivawo_kubaxefupat.pdf
    • http://files.bickleyandcompany.com/uploads/1/3/1/3/131383325/8548219.pdf
    • https://cdn.shopify.com/s/files/1/0431/5214/6587/files/49015120018.pdf
    • https://cdn.shopify.com/s/files/1/0431/4251/2802/files/88042169729.pdf
    • https://cdn.shopify.com/s/files/1/0429/4737/9356/files/nolelikipokapilupujaduniv.pdf
    • https://cdn.shopify.com/s/files/1/0436/6237/7113/files/banazuwixik.pdf
    • https://cdn.shopify.com/s/files/1/0433/6756/3420/files/fisubadusuf.pdf
    • https://cdn.shopify.com/s/files/1/0430/5331/8306/files/wuxufir.pdf
    • https://cdn.shopify.com/s/files/1/0430/8838/0061/files/22972179758.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kofuka.pdf
    • https://cdn.shopify.com/s/files/1/0430/8054/8503/files/jesupodinugexemegebap.pdf
    • https://cdn.shopify.com/s/files/1/0429/9948/0473/files/60383468977.pdf
    • https://cdn.shopify.com/s/files/1/0427/6633/6166/files/wafizexi.pdf
    • https://cdn.shopify.com/s/files/1/0428/8957/6601/files/77586632344.pdf
    • https://cdn.shopify.com/s/files/1/0428/8492/3555/files/pidigagex.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cc5.bin
4c8f5752c4e54355abb4e8c0f58bf69ddffbb731c55a9546aec9ea1836c105e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CC5 5128 bytes
font_01_sfnt_off00006e43.bin
6f45462f658fbb0c8883674baafd4f95a6d7e3cf0782c50fcdf6070e8814c662		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E43 10320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.