Malicious PDF — malware analysis report

Static analysis result for SHA-256 be12ad025d3393d2…

MALICIOUS

PDF

49.1 KB Created: 2020-08-06 02:55:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69a2f22a3ccc2a012b7dc067532bdca3 SHA-1: fa59b40a37fe2275512cd3c4093f2ab0a51f10de SHA-256: be12ad025d3393d2fd74b9dbe7b4f92215da683751d7c00eed153e9ca5f69fa6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to direct users to a malicious redirector at `https://ttraff.ru/pify?keyword=list+of+all+collective+nouns+pdf`. This is a common tactic for SEO poisoning and phishing campaigns. The document body itself is heavily obfuscated but appears to contain the same URL and other benign-looking PDF links, likely to bolster the SEO poisoning attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=list+of+all+collective+nouns+pdf
    • http://files.industrialbling.com/uploads/1/3/1/4/131406391/togakalo.pdf
    • http://files.windowsofatlanta.com/uploads/1/3/1/4/131407655/62846ed44b43afa.pdf
    • http://files.solreta.com/uploads/1/3/1/1/131164552/bufipesibolapoxafu.pdf
    • http://files.katekisscoaching.com/uploads/1/3/1/4/131437491/xazuj.pdf
    • http://morutudo.reginaldart.com/uploads/1/3/0/8/130873826/1db97f4f6136.pdf
    • https://cdn.shopify.com/s/files/1/0434/2687/3509/files/letterhead_format.pdf
    • https://cdn.shopify.com/s/files/1/0437/0091/2278/files/16166390596.pdf
    • https://cdn.shopify.com/s/files/1/0431/7249/5524/files/mosusujisunefuzujapub.pdf
    • https://cdn.shopify.com/s/files/1/0431/7341/3028/files/73269745915.pdf
    • https://cdn.shopify.com/s/files/1/0428/3957/2643/files/kikowabaje.pdf
    • https://cdn.shopify.com/s/files/1/0429/1405/4300/files/macos_restart_vnc_server.pdf
    • https://cdn.shopify.com/s/files/1/0431/1865/7703/files/nulefodezudad.pdf
    • https://cdn.shopify.com/s/files/1/0432/1338/9992/files/21096128159.pdf
    • https://cdn.shopify.com/s/files/1/0432/9209/8716/files/bapuferuvexogujedakopo.pdf
    • https://cdn.shopify.com/s/files/1/0431/4929/5776/files/zibogow.pdf
    • https://cdn.shopify.com/s/files/1/0429/8987/9445/files/31095787462.pdf
    • https://cdn.shopify.com/s/files/1/0429/7896/7703/files/20808522588.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078ae.bin
d2e4d01bb05882bcc51843227a4a8e8f05edf3a933268cd557c829358691e27c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78AE 5056 bytes
font_01_sfnt_off00008a04.bin
46549a1c83e12eadb3fa14f424029dcb25c6694f6b108c09a8c918455009d5fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A04 14088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.