Malicious PDF — malware analysis report

Static analysis result for SHA-256 d15ef5a59fcca9a2…

MALICIOUS

PDF

64.9 KB Created: 2020-08-19 11:22:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f8be4a08528319e4ca7fa4d453aecb0a SHA-1: c9da449952cc5dd2b329cb0dfe96fe67a1c1cd6f SHA-256: d15ef5a59fcca9a2de759d7ae77a09f578e4137317de40e993f443ebf393148c
168 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains multiple embedded links, with one pointing to a known malicious redirector at 'https://ttraff.ru/pify?keyword=chrome+adblock+android+xda'. The document also exhibits a 'Browser extension / update installation lure' heuristic, indicating a social-engineering attempt to trick the user into installing malicious software. The presence of numerous links to Shopify-hosted PDFs suggests a link farm used for SEO poisoning or distributing malicious content.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=chrome+adblock+android+xda
    • http://files.peacefulsoulcounseling.com/uploads/1/3/0/9/130969079/romedup.pdf
    • http://files.shaneproductions.com/uploads/1/3/1/4/131452903/820bc2753.pdf
    • http://files.webchristchurch.com/uploads/1/3/2/6/132695741/2166143.pdf
    • http://files.artandroulla.com/uploads/1/3/1/3/131380773/6e51b943ebb202b.pdf
    • http://files.dwellwithchrist.com/uploads/1/3/2/7/132740838/1490824.pdf
    • https://cdn.shopify.com/s/files/1/0431/1059/6765/files/advanced_language_practice_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/2745/5400/files/talidimakujonexixolo.pdf
    • https://cdn.shopify.com/s/files/1/0438/7844/9307/files/zijon.pdf
    • https://cdn.shopify.com/s/files/1/0430/3713/0914/files/nisatale.pdf
    • https://cdn.shopify.com/s/files/1/0435/5181/7883/files/xuxojuramupagepezapemasu.pdf
    • https://cdn.shopify.com/s/files/1/0431/3828/5725/files/tanudolomusufopibidoduxuj.pdf
    • https://cdn.shopify.com/s/files/1/0440/6686/5302/files/vawekajoba.pdf
    • https://cdn.shopify.com/s/files/1/0428/5654/6467/files/jamakeguretefefod.pdf
    • https://cdn.shopify.com/s/files/1/0430/7946/7162/files/mac_address_vendor_list.pdf
    • https://cdn.shopify.com/s/files/1/0437/2794/5889/files/donell_jones_where_i_wanna_be_mp3.pdf
    • https://cdn.shopify.com/s/files/1/0429/8945/3473/files/xipavowomubevarozuleg.pdf
    • https://cdn.shopify.com/s/files/1/0428/4219/4083/files/zoziwaxeti.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a0f6.bin
129d4acf65c31db3c6b05ca173d5f1526c01b35be9289b7fc0ceb58ecbb089bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0F6 8908 bytes
font_01_sfnt_off0000bec1.bin
2f2d16ca87a9c0fe0c073f81148285ee9bb2673a2b763b93ad69e38497ca59b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBEC1 5176 bytes
font_02_sfnt_off0000d037.bin
79f85181739824265c6498c59ac682b903f322012fbdfe5c52de7dae3b660144		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD037 11404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.