Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdaebacbdcc92b27…

MALICIOUS

PDF

38.6 KB Created: 2020-08-31 07:48:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 44748382dcc5222b0dad53a41bd17bba SHA-1: 16479e301d0202b868c618d4164609e9c493746d SHA-256: bdaebacbdcc92b2776f1dee3b5aabfba67014d663fbe1c821d551fec1631e279
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify-hosted PDFs, suggesting an SEO link farm. One of these links, however, redirects to a known malicious domain (ttraff.ru). This indicates a likely attempt to leverage SEO techniques for malicious redirection, potentially to distribute further malware or conduct phishing. No scripts were extracted, and the document body is heavily obfuscated.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=polaris+scrambler+400+4x4+parts
    • https://cdn.shopify.com/s/files/1/0431/1321/8199/files/37463353940.pdf
    • https://cdn.shopify.com/s/files/1/0428/1306/3327/files/aecb_credit_report_for_companies.pdf
    • https://cdn.shopify.com/s/files/1/0431/4847/6570/files/gajarike.pdf
    • https://cdn.shopify.com/s/files/1/0437/1991/7719/files/43846306515.pdf
    • https://cdn.shopify.com/s/files/1/0433/7614/8638/files/wahl_guide_combs_sizes.pdf
    • https://cdn.shopify.com/s/files/1/0438/1265/1170/files/canon_eos_60da_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/3468/1250/files/o_admiravel_mundo_novo_livro.pdf
    • https://cdn.shopify.com/s/files/1/0431/0306/0128/files/54752408384.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_af40cd019fe949c986d0c16f978538ad.pdf
    • https://static.usrfiles.com/ugd/bf07b1_db310bf84b614852903edea475bf4ac5.pdf
    • https://static.usrfiles.com/ugd/b8c837_99e0277005fb42d088b4fafd92db5424.pdf
    • https://cdn.shopify.com/s/files/1/0429/0710/7495/files/gevotidadejesolukirafok.pdf
    • https://cdn.shopify.com/s/files/1/0437/8587/9704/files/28466683848.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b34.bin
5880f93aed5f62fc3492da1349fd674ab70b9e40298df029a16f501b6c93a61a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B34 5200 bytes
font_01_sfnt_off00005ce6.bin
91cfeed118ecb4421731f5b9204be70bbff759802d5994b0ae23a557f34876a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CE6 10212 bytes
font_02_sfnt_off00007fd7.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FD7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.