Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4f83896b3e716c3…

MALICIOUS

PDF

40.5 KB Created: 2020-08-21 16:05:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4a17f01e15d928fd57c2d61ed86dc9ad SHA-1: a81c87462ab0dc0d85cf90d8a4d80bd8ed1cb9fd SHA-256: b4f83896b3e716c3699a51c194064f49c49339cf0c38cf4281c854d31d92a8cc
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript which is flagged as malicious. This script is likely responsible for the critical heuristic firing indicating a PDF link to known malicious redirector infrastructure. The primary redirector URL is https://ttraff.ru/pify?keyword=search+multiple+excel+sheets+at+once, which is used to lure users to potentially malicious content. The document body also contains this URL and references to SEO link farming, suggesting an attempt to attract traffic through deceptive means.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=search+multiple+excel+sheets+at+once
    • http://files.londonderrychristianmontessori.com/uploads/1/3/1/1/131163747/1987567.pdf
    • https://cdn.shopify.com/s/files/1/0433/2093/4558/files/dupex.pdf
    • https://cdn.shopify.com/s/files/1/0433/6094/4296/files/51340251643.pdf
    • https://cdn.shopify.com/s/files/1/0433/1975/4907/files/4672230199.pdf
    • https://cdn.shopify.com/s/files/1/0432/3305/0779/files/52983573214.pdf
    • https://cdn.shopify.com/s/files/1/0437/0687/6055/files/appchina_free_ios.pdf
    • http://files.lkong.people.ua.edu/uploads/1/3/1/6/131636819/c2e358ec.pdf
    • https://cdn.shopify.com/s/files/1/0431/5198/2754/files/wugatamazabexuwakejovoju.pdf
    • https://cdn.shopify.com/s/files/1/0433/7405/1493/files/63978113061.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xasaxikopakepiditewevumub.pdf
    • https://cdn.shopify.com/s/files/1/0432/2240/1192/files/zufulufenolefalisagorafo.pdf
    • https://cdn.shopify.com/s/files/1/0434/4987/6630/files/99750700135.pdf
    • https://cdn.shopify.com/s/files/1/0429/8804/4447/files/xararanoxubapevusijezej.pdf
    • https://cdn.shopify.com/s/files/1/0438/0491/7917/files/javascript._overlay._slice_0_100._click.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fb4.bin
3a9509e4f9a440f4d427becdf9122a5cfeb2997e5d6e88ced367fa921ab04295		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FB4 5344 bytes
font_01_sfnt_off000071b7.bin
015b7d6fc3bfb91840a682b8499befaaa3432f5a725c8c08782584e0a1a581a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71B7 10408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.