Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd2435a2a97983dd…

MALICIOUS

PDF

50.8 KB Created: 2020-08-30 18:53:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7dc5769aa1057764557f3358714b3a4a SHA-1: 9c60b93195c5f4bcfdb0a87fe02879324dafcf36 SHA-256: bd2435a2a97983dd0fc2380b4964dc4c081489ab0159bc3b0d06be862b9d1e38
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains, but one critical link directs to a known malicious redirector. This suggests a link farm or SEO poisoning tactic designed to lure users to malicious infrastructure. The primary malicious URL identified is https://ttraff.ru/wix?keyword=fifty+shades+darker+audiobook+narrat, which is likely used to redirect users to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=fifty+shades+darker+audiobook+narrat
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gujogu.pdf
    • https://cdn.shopify.com/s/files/1/0430/0341/2633/files/chronicle_2_martyr_script.pdf
    • https://cdn.shopify.com/s/files/1/0433/8758/4661/files/woduwerawisurazuzokukenul.pdf
    • https://cdn.shopify.com/s/files/1/0435/3395/9327/files/baby_girl_names_in_tamil_format.pdf
    • https://static.usrfiles.com/ugd/b8c837_f329b5f7ea484bd3ab3e275ced572be1.pdf
    • https://cdn.shopify.com/s/files/1/0431/5463/6966/files/68043992264.pdf
    • https://cdn.shopify.com/s/files/1/0427/9474/6023/files/xumoxul.pdf
    • https://static.usrfiles.com/ugd/0bcf16_5d9a7c95c052494984d9b773d01d1b85.pdf
    • https://static.usrfiles.com/ugd/2f7815_eacb6becf00e4253aecd38f3822eaf04.pdf
    • https://static.usrfiles.com/ugd/b48b60_555c41de7b8244fbb57c1fb94a32aea4.pdf
    • https://static.usrfiles.com/ugd/b85eb0_dcc539f5a11c4af9b01797d3e976eb8f.pdf
    • https://static.usrfiles.com/ugd/3b47cb_731d4bed18b24fbd857aeb86f67c919e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c24.bin
9fcb215cfd39885b3549febfe22050656dc0cfbde3d0b4337471832221c8ba84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C24 5108 bytes
font_01_sfnt_off00008d74.bin
7442deae4c7241c2a36a7dddc43771dc7c0a75326755487fb976d1c9ccb71140		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D74 10224 bytes
font_02_sfnt_off0000b060.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB060 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.