Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf7a55e45a0211a6…

MALICIOUS

PDF

52.9 KB Created: 2020-08-18 21:44:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f4d80630ba73c8d8ccfd079a1176543 SHA-1: 7765db861b49b3ac24b7e1c5c967c3956813367f SHA-256: bf7a55e45a0211a60e01d92c7501704a22673f2fc3ecf601d316980acb82620d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=android+vs+ios+market+share+global'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, many of which are hosted on cdn.shopify.com and other unknown domains. The document body, though heavily obfuscated, contains the same redirector URL. This suggests the primary intent is to direct users to potentially malicious content or phishing sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=android+vs+ios+market+share+global
    • http://files.taejulee.com/uploads/1/3/1/8/131872054/peguforafu.pdf
    • http://files.bookscapes.co.uk/uploads/1/3/1/0/131069863/jerujenoxivenipu.pdf
    • http://files.olgasplaces.com/uploads/1/3/0/7/130775163/2afeaa1a897.pdf
    • https://cdn.shopify.com/s/files/1/0431/6826/8448/files/computer_networking_mcq_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0430/4365/1741/files/dizexe.pdf
    • https://cdn.shopify.com/s/files/1/0431/4693/6482/files/53528143612.pdf
    • https://cdn.shopify.com/s/files/1/0429/7113/6154/files/applications_letter_sample.pdf
    • https://cdn.shopify.com/s/files/1/0433/1785/4373/files/cvc_word_family_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0428/9275/5111/files/xubarijemexidikatib.pdf
    • https://cdn.shopify.com/s/files/1/0437/4550/9537/files/89311218108.pdf
    • https://cdn.shopify.com/s/files/1/0431/9870/9918/files/6255619870.pdf
    • https://cdn.shopify.com/s/files/1/0434/5603/7016/files/715782424.pdf
    • https://cdn.shopify.com/s/files/1/0429/0176/6310/files/conjuntivite_bacteriana_pediatria.pdf
    • https://cdn.shopify.com/s/files/1/0433/0219/1269/files/pidusidamejujakod.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008435.bin
a5f94b8a8bfac0911ed16cc195ff0cb0abf9d5a9a1561c0969cd07caa71cd1d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8435 5280 bytes
font_01_sfnt_off000095fd.bin
0a5c0664e0b0f4d0d4c730cd5235aae8ea6d1bba7af45a76c44ccfe88df20b5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95FD 10136 bytes
font_02_sfnt_off0000b87b.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB87B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.