Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5a3af2950f8f12d…

MALICIOUS

PDF

42.9 KB Created: 2020-08-22 20:18:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ebcf76b5b25a600434158b030b194d7 SHA-1: a8cef3361a39c969be4af50045d921765f78be62 SHA-256: c5a3af2950f8f12d9d81d4850b9a4477e1949a6c03f9a452cbdf977e3dc76046
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass external PDF link farm, with multiple links pointing to shopify.com domains and one critical link to a known malicious redirector at ttraff.ru. The document body text, though heavily obfuscated, includes the URL 'https://ttraff.ru/pify?keyword=music+sheet+for+itsy+bitsy+spider', suggesting a lure to disguise malicious activity. The file's primary function appears to be redirecting users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=music+sheet+for+itsy+bitsy+spider
    • http://files.lrsalrccd.org/uploads/1/3/0/7/130739987/verudak.pdf
    • http://files.paloverdeafjrotc.org/uploads/1/3/0/7/130738562/raduwijud_wavulijemev_mibuxin.pdf
    • https://cdn.shopify.com/s/files/1/0435/1187/3688/files/fidemopivodali.pdf
    • https://cdn.shopify.com/s/files/1/0438/8978/7048/files/sygg_river_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/6259/9586/files/kuzetobakudipuzavezufot.pdf
    • https://cdn.shopify.com/s/files/1/0431/4162/8072/files/rexoweranekoxe.pdf
    • https://cdn.shopify.com/s/files/1/0437/8938/5885/files/21216200816.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52325197595.pdf
    • https://cdn.shopify.com/s/files/1/0435/8737/1167/files/49839578150.pdf
    • https://cdn.shopify.com/s/files/1/0438/4836/8288/files/samsung_android_10_beta_programm.pdf
    • https://cdn.shopify.com/s/files/1/0431/9431/9009/files/vovewetox.pdf
    • https://cdn.shopify.com/s/files/1/0439/0669/5320/files/jewapuz.pdf
    • https://cdn.shopify.com/s/files/1/0430/2995/4721/files/javuduxawepojalusekoravo.pdf
    • https://cdn.shopify.com/s/files/1/0436/3167/3502/files/79058954517.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b66.bin
e8576263b755681b3ebb786ef77aae66677c642094c06f6e3e60b022fc16e8dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B66 5248 bytes
font_01_sfnt_off00006d3f.bin
15226c878d8650c43c90a008da113264731127c8e7fdbf0cbe1b038339aed3bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D3F 15060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.