Malicious PDF — malware analysis report

Static analysis result for SHA-256 be8f9a8609fdb7f0…

MALICIOUS

PDF

39.2 KB Created: 2020-08-31 12:58:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61d6f49f87a9154489bad513b09c680c SHA-1: 4ba149970a99dbc2339a7819db6d669a703a3ddc SHA-256: be8f9a8609fdb7f0984eedaaa1878bd641b92b5934691a43288fc312d31b0b81
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded JavaScript and a significant number of external links, many of which point to Shopify domains, suggesting a link farm or SEO manipulation tactic. Crucially, one of the embedded links directs to a known malicious redirector at 'ttraff.ru'. While no specific malware family is identified, the presence of malicious redirectors and the SEO link farm pattern indicate a likely attempt to lure users to malicious content or phishing sites.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=tp+drosophile+ts+corrig%25C3%25A9
    • https://cdn.shopify.com/s/files/1/0434/7183/1193/files/hs_code_malaysia_2020_sst.pdf
    • https://cdn.shopify.com/s/files/1/0433/4790/2622/files/organization_theory_and_design_12th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nakoximowukod.pdf
    • https://cdn.shopify.com/s/files/1/0432/7879/4917/files/free_gospel_music_downloads.pdf
    • https://cdn.shopify.com/s/files/1/0431/2812/7645/files/25699480108.pdf
    • https://cdn.shopify.com/s/files/1/0429/2195/1391/files/sanded_vs_unsanded_grout.pdf
    • https://static.usrfiles.com/ugd/0bcf16_c15e23ce218a494591a4e0b3d0136ab3.pdf
    • https://static.usrfiles.com/ugd/b8c837_c0e0fc3e21e64b7e804d174912939c56.pdf
    • https://static.usrfiles.com/ugd/e32576_1c92dbf56b1b401baa22906f3ac3bfbb.pdf
    • https://static.usrfiles.com/ugd/cd79e3_aaeaaa9de6d34befb008afde43e259e8.pdf
    • https://cdn.shopify.com/s/files/1/0437/6884/0341/files/42484076218.pdf
    • https://cdn.shopify.com/s/files/1/0433/1434/8197/files/lejosokokuf.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nubizasijimowedemo.pdf
    • https://cdn.shopify.com/s/files/1/0431/0564/8807/files/73967744850.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000596a.bin
c74abaa6aff63168f46d64b14de267d9d12e7846e1d2927e903f51a97d3ebcc9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x596A 5216 bytes
font_01_sfnt_off00006ae1.bin
b1e4d789cc69486bec99ca103559c8d6dbc291acdfd971e6dba49565b51c5395		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AE1 10696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.