Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6399c2499e6a2bb…

MALICIOUS

PDF

61.0 KB Created: 2020-08-18 15:31:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 790a09fb851f2f980039e6fa1490d0ea SHA-1: bd07bb4cfeb5de61d3935733a76e11adcf2f7f4e SHA-256: c6399c2499e6a2bb94020c49b7cecab86326fad99e45b933dcec31b65cfa8da5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to redirect users to malicious infrastructure. The primary malicious URL identified is https://ttraff.ru/pify?keyword=add+vectors+in+polar+form, which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this URL and other links pointing to various PDF files hosted on Shopify and other domains, likely as a lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=add+vectors+in+polar+form
    • http://files.bluecactustriathlonclub.com/uploads/1/3/0/7/130775970/depekedixagonot_perojod_mubog.pdf
    • http://files.getstravel.com/uploads/1/3/0/7/130739043/fujenes.pdf
    • http://jojenax.rscollegesupport.org/uploads/1/3/1/6/131606490/dupatomugaveli.pdf
    • http://files.hochbergbiodiversitylab.com/uploads/1/3/0/7/130776433/3a07e6f0.pdf
    • http://files.cabotkennels.com/uploads/1/3/1/0/131069890/jadisi_rubumebixa_felave.pdf
    • https://cdn.shopify.com/s/files/1/0435/9464/5663/files/87415369931.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/29025511016.pdf
    • https://cdn.shopify.com/s/files/1/0430/8454/6209/files/59090516540.pdf
    • https://cdn.shopify.com/s/files/1/0429/2250/8454/files/75713478434.pdf
    • https://cdn.shopify.com/s/files/1/0432/9163/9966/files/82847656428.pdf
    • https://cdn.shopify.com/s/files/1/0436/3000/2336/files/12240090116.pdf
    • https://cdn.shopify.com/s/files/1/0434/3355/8168/files/xubegodasu.pdf
    • https://cdn.shopify.com/s/files/1/0436/5526/6454/files/zejugimovofevukewirodag.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009a46.bin
7e04f01bd7f100a5a7a2a2a82241b860458f3da68e413df959fabc33833afcd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A46 5352 bytes
font_01_sfnt_off0000ac62.bin
15971703c978c4a75190ff1af74925c369709b3af82e0d087159214ccebff6f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC62 11612 bytes
font_02_sfnt_off0000d276.bin
3da9309f7c28e01a20d15285b754fad9116e6eb7744d168a0fff2950d6122081		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD276 16072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.