Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba5943955d6ce3a0…

MALICIOUS

PDF

42.7 KB Created: 2020-08-14 16:58:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ade5fb4285801209d81f6478ed72003 SHA-1: c7be23ac790d790456bbb801b7aefc4ee425e9df SHA-256: ba5943955d6ce3a0d30dc9c81727bbfc43b9d7e2b379ecfa5f460bf7c212528a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=data+table+function+in+google+sheet'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with 'https://cdn.shopify.com/s/files/1/0429/6677/8009/files/kubif.pdf' being one of the first identified. The document body, though heavily obfuscated, contains the same lure text as the URL, suggesting a social engineering attempt to trick users into clicking the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=data+table+function+in+google+sheet
    • http://files.allgoodthingsosf.org/uploads/1/3/0/9/130970004/babuvujekufo.pdf
    • http://dadupuru.natureswaybotanical.com/uploads/1/3/0/7/130739916/4340139.pdf
    • https://cdn.shopify.com/s/files/1/0429/6677/8009/files/kubif.pdf
    • https://cdn.shopify.com/s/files/1/0437/2630/7480/files/gopuzakejafuve.pdf
    • https://cdn.shopify.com/s/files/1/0438/0796/5345/files/thyristor_controlled_rectifier.pdf
    • https://cdn.shopify.com/s/files/1/0430/0744/3103/files/67891612381.pdf
    • https://cdn.shopify.com/s/files/1/0428/0716/5095/files/23103052322.pdf
    • https://cdn.shopify.com/s/files/1/0433/7880/2846/files/anchoring_script_for_school_function.pdf
    • https://cdn.shopify.com/s/files/1/0427/9838/3260/files/gexulol.pdf
    • https://cdn.shopify.com/s/files/1/0429/8450/5498/files/girokupoteki.pdf
    • https://cdn.shopify.com/s/files/1/0429/9502/4033/files/kelowoninubenubavudul.pdf
    • https://cdn.shopify.com/s/files/1/0432/2613/6743/files/monster_rancher_2_rom.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000609b.bin
c0bf8d0bd5f5367d17ff3a93670c80a460425e456ca930fb369af5b58c4c878c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x609B 5188 bytes
font_01_sfnt_off00007248.bin
dda56a82a8834a7de8e228d3ea16d128f59fddb2bad40c416c17b75813d64143		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7248 13652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.