Malicious PDF — malware analysis report

Static analysis result for SHA-256 c79f81384d1f5453…

MALICIOUS

PDF

55.6 KB Created: 2020-08-30 23:28:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f6b031d2da6e52fd6130fcd29389fd0 SHA-1: 83e7e2720057872492135b97abf23b25a7ed41de SHA-256: c79f81384d1f54530697b64cf3bbcb11c7ef241a64deb159e96d6f799ef398df
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link that redirects to a known malicious domain, disguised as a book title. This indicates a social engineering attack aiming to trick the user into visiting a harmful site. The PDF also contains a large number of links to other PDFs hosted on Shopify, likely for SEO manipulation to improve the ranking of the malicious redirector. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=university+physics+with+modern+physics+14th+edition+by+young+and+freedman+with+mastering+physics
    • https://cdn.shopify.com/s/files/1/0437/2889/6161/files/bakalinozexaw.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/jisabisagubimebusogapasof.pdf
    • https://cdn.shopify.com/s/files/1/0433/8129/3221/files/24332449696.pdf
    • https://cdn.shopify.com/s/files/1/0432/7407/6315/files/odds_of_winning_solitaire.pdf
    • https://cdn.shopify.com/s/files/1/0431/0024/2077/files/gelep.pdf
    • https://cdn.shopify.com/s/files/1/0435/1174/2628/files/miscreated_how_to_make_a_server.pdf
    • https://cdn.shopify.com/s/files/1/0434/0521/3847/files/92694720289.pdf
    • https://cdn.shopify.com/s/files/1/0428/7492/9308/files/nojavulogebitojosu.pdf
    • https://static.usrfiles.com/ugd/b8c837_99ad1b897190417794d4720556388221.pdf
    • https://static.usrfiles.com/ugd/432b07_95a53b51459f48f9ae6da4b3c3f841d7.pdf
    • https://static.usrfiles.com/ugd/1ee69b_28cba6eae40949278b54afd521a2e30a.pdf
    • https://static.usrfiles.com/ugd/b8c837_a8f2906ae8a04caa8d393c15974df4cc.pdf
    • https://static.usrfiles.com/ugd/9e41f0_583e7dfeedd64f58aae6af8b2afebff6.pdf
    • https://cdn.shopify.com/s/files/1/0435/9749/6477/files/nududufebabuboned.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/pegumi.pdf
    • https://cdn.shopify.com/s/files/1/0431/8271/9127/files/46108733101.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000096bf.bin
cc3f79d77594315a98e1dba90962128e2aa73812273fcb0a92fe435462507fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96BF 6064 bytes
font_01_sfnt_off0000ab50.bin
ff287e9a02c9802079751d2f190bbbbb21b775a74e0d6460f2ca937ed2d462f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB50 10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.