Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5bd705ff149d25d…

MALICIOUS

PDF

87.9 KB Created: 2020-08-07 05:41:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 95fa5354bc0240e31aac23975739c1e0 SHA-1: a3203f1cd702d14f44ae4b52aaf590d8f21454f0 SHA-256: b5bd705ff149d25d6403bd3a3aa5ac57a7ee8cd1338387dcfdee2a82cd2d9c88
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains numerous links, many of which point to domains associated with link farms and redirectors. The primary malicious URL identified is https://ttraff.ru/pify?keyword=antioxidant+activity+of+silver+nanoparticles+pdf, which is flagged as a malicious redirector. The document body itself is heavily obfuscated but contains references to the PDF title and authoring application, suggesting a lure for users searching for specific documents.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=antioxidant+activity+of+silver+nanoparticles+pdf
    • http://files.idleminded.com/uploads/1/3/0/9/130969934/pizajezeraxit_xuranelufasagi_gofawob_vejepi.pdf
    • http://files.shopkashkoutureko.com/uploads/1/3/0/7/130740127/d294bc.pdf
    • http://files.okomomodesign.com/uploads/1/3/2/6/132680986/jurapanoleme_tibusa_tovurerapa.pdf
    • http://files.rayvik.com/uploads/1/3/0/8/130814065/fee140733cab3a.pdf
    • http://files.citizensfor1.com/uploads/1/3/1/8/131857305/ef8b886c60.pdf
    • https://cdn.shopify.com/s/files/1/0429/2929/1427/files/bojezuberesudofumob.pdf
    • https://cdn.shopify.com/s/files/1/0431/1089/1676/files/43994968192.pdf
    • https://cdn.shopify.com/s/files/1/0428/9547/4855/files/giwifirenazedosa.pdf
    • https://cdn.shopify.com/s/files/1/0440/2089/1798/files/36624988885.pdf
    • https://cdn.shopify.com/s/files/1/0430/0062/7363/files/ratesesitibagoviratuf.pdf
    • https://cdn.shopify.com/s/files/1/0429/8113/0394/files/86740285176.pdf
    • https://cdn.shopify.com/s/files/1/0430/7589/5450/files/lunewolabadezej.pdf
    • https://cdn.shopify.com/s/files/1/0430/3713/0914/files/antrenmanlarla_geometri_cevaplar.pdf
    • https://cdn.shopify.com/s/files/1/0433/4492/0734/files/70464549522.pdf
    • https://cdn.shopify.com/s/files/1/0438/6563/7019/files/griffiths_quantum_mechanics_2nd_edition_solutions.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000115b3.bin
1f76a5fd289158fca8a004b6fea9dff5a01ed0686a4b32d6e8c0c7d86e5ceddb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115B3 5368 bytes
font_01_sfnt_off00012817.bin
ca4098a29e7039f07561979335b2ad385eece293037c0b25e788f008c786be2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12817 13236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.