Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc23d4b4bc07c798…

MALICIOUS

PDF

42.2 KB Created: 2020-08-14 23:57:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 576be2fc83cc0f2eefb3ee5b61cc86c1 SHA-1: 853dec1872ff49bb898cd6df1f221a79b52eb2d0 SHA-256: bc23d4b4bc07c798a177e35bed43b309485089f12b1b59f59d81a2f109c6a33b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to external resources. One prominent URL, 'https://ttraff.ru/pify?keyword=kagura+mobile+legends+guide', is identified as a malicious redirector. The document body, though heavily obfuscated, contains references to this URL and other PDF files hosted on Shopify. This suggests a link farm or redirection tactic to obscure the ultimate malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=kagura+mobile+legends+guide
    • http://files.sunglasspanache.com/uploads/1/3/1/4/131483281/36c9fbe2.pdf
    • http://files.food.varistor.ch/uploads/1/3/1/6/131606231/jadomif_xuxipo.pdf
    • http://files.chattahoocheechorus.com/uploads/1/3/0/8/130874524/bb111ffc2.pdf
    • http://files.bennettmachineindustrial.com/uploads/1/3/0/8/130874477/8003404.pdf
    • https://cdn.shopify.com/s/files/1/0430/0832/7829/files/39331303303.pdf
    • https://cdn.shopify.com/s/files/1/0433/5150/7112/files/luxuragubojipidoposo.pdf
    • https://cdn.shopify.com/s/files/1/0438/1055/4016/files/starched_genes_fallout_76.pdf
    • https://cdn.shopify.com/s/files/1/0434/1104/6561/files/40943741507.pdf
    • https://cdn.shopify.com/s/files/1/0432/1509/3917/files/62774215041.pdf
    • https://cdn.shopify.com/s/files/1/0434/0262/5178/files/57568181947.pdf
    • https://cdn.shopify.com/s/files/1/0433/7539/4977/files/jowobapimagozadetuzunojer.pdf
    • https://cdn.shopify.com/s/files/1/0436/7322/3321/files/84330550959.pdf
    • https://cdn.shopify.com/s/files/1/0436/5549/5833/files/jagged_array_in_c.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/wajumibuxup.pdf
    • https://cdn.shopify.com/s/files/1/0429/0134/0319/files/jomujetekolitadobufofadu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005aeb.bin
f0545f0c7d0690118be8da2bef027d4dbaf7d44b7bd96e82ec1b9410425e93d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AEB 5056 bytes
font_01_sfnt_off00006bee.bin
97bc5e7bd60f847620da180e66fd950bae2d2eff7123ce73f9d1b44ce2facdfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BEE 9996 bytes
font_02_sfnt_off00008e27.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E27 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.