Malicious PDF — malware analysis report

Static analysis result for SHA-256 bda0800429646422…

MALICIOUS

PDF

45.3 KB Created: 2020-08-31 05:17:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 42b38f16f4cbaf2b3ca9c6f2c5bfcd9d SHA-1: 4fa00b2f0e0d26c2c48005feeca9a6aef075b013 SHA-256: bda0800429646422f758be31d8ce95bfa3b0ed51a194cb6fbd39c5d05498ea59
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector link to 'ttraff.ru'. Another critical heuristic identified a large number of external PDF links, many hosted on Shopify, suggesting a link farm or SEO manipulation tactic. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/wix?keyword=best+clone+wars+arcs', reinforcing the malicious redirector finding. The primary attack pattern involves luring users to malicious sites via these embedded links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=best+clone+wars+arcs
    • https://cdn.shopify
    • https://cdn.shopify.com/s/files/1/0431/5417/8216/files/kadomekipaxivajisi.pdf
    • https://cdn.shopify.com/s/files/1/0428/7679/7081/files/gikiwifejadir.pdf
    • https://cdn.shopify.com/s/files/1/0434/1006/3527/files/antibioticos_y_sus_familias.pdf
    • https://cdn.shopify.com/s/files/1/0444/2914/8327/files/rumovusemuxekajatezekarip.pdf
    • https://cdn.shopify.com/s/files/1/0431/1557/7504/files/giramivivumonawajitik.pdf
    • https://cdn.shopify.com/s/files/1/0447/9864/0288/files/algebra_2_textbook_texas.pdf
    • https://static.usrfiles.com/ugd/e1d12c_1168411aec404482ba6566dd6364b2a8.pdf
    • https://static.usrfiles.com/ugd/b8c837_e9d795a3549d41608b705ae0f41ce733.pdf
    • https://static.usrfiles.com/ugd/b8c837_15345c7aa809426fb861a94daaa19a05.pdf
    • https://static.usrfiles.com/ugd/32777b_aa1ea8eba13649d18fb509c7cfee9d38.pdf
    • https://cdn.shopify.com/s/files/1/0431/8606/1480/files/jakuz.pdf
    • https://cdn.shopify.com/s/files/1/0436/6172/1765/files/68906045418.pdf
    • https://cdn.shopify.com/s/files/1/0437/9561/1805/files/tipos_de_apomixis.pdf
    • https://cdn.shopify.com/s/files/1/0432/9357/3288/files/lijidave.pdf
    • https://cdn.shopify.com/s/files/1/0430/4814/0949/files/84476727171.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007516.bin
1766dd443057ed15d07b2f8642a02cde0727f5cd13a54385cdac681d2d537105		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7516 4936 bytes
font_01_sfnt_off000085f9.bin
7581ca900c82aab4060158652456c95d183338264c26ac4f7d18463bd8c35b37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85F9 10164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.