Malicious PDF — malware analysis report

Static analysis result for SHA-256 d33b266e7e5abd09…

MALICIOUS

PDF

67.1 KB Created: 2020-08-09 08:58:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ca77c55fc2c04e40163011beeabe5f0 SHA-1: 446188e51c9ca534218243ac9e82a72d530d1bdc SHA-256: d33b266e7e5abd09e1eaf364cddc82885aaaffd7756b838bf0c88109b40e4192
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=the+general+theory+of+alternating+current+machines+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many of which are hosted on shopify.com. The document body, though partially corrupted, contains the same URL as the redirector, suggesting it's the primary lure. The file's purpose appears to be to redirect users to a malicious site via this link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=the+general+theory+of+alternating+current+machines+pdf
    • http://files.ethanemersonmusic.com/uploads/1/3/1/4/131406892/5610205.pdf
    • http://files.luciecerna.com/uploads/1/3/0/7/130738993/vaximotudumupoka.pdf
    • http://files.frackfreecolorado.com/uploads/1/3/0/7/130740391/1cf4dd0f.pdf
    • http://files.vafercapital.com/uploads/1/3/2/6/132695372/tefib_deludu_munumilow.pdf
    • http://files.theindianexpresskadhai.com/uploads/1/3/2/6/132695372/rezoninu-volewuwowure-fapigeze.pdf
    • https://cdn.shopify.com/s/files/1/0429/7015/3113/files/nalesi.pdf
    • https://cdn.shopify.com/s/files/1/0436/1791/0946/files/arte_contemporaneo_en_colombia.pdf
    • https://cdn.shopify.com/s/files/1/0430/6491/8165/files/movaxetutoxuve.pdf
    • https://cdn.shopify.com/s/files/1/0434/0000/3747/files/82468213999.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tavolotifejenirogamofiv.pdf
    • https://cdn.shopify.com/s/files/1/0433/6350/0197/files/rogudapewetajuxosopijugo.pdf
    • https://cdn.shopify.com/s/files/1/0434/2788/9308/files/merge_sort_pseudocode.pdf
    • https://cdn.shopify.com/s/files/1/0431/7803/3313/files/38199347059.pdf
    • https://cdn.shopify.com/s/files/1/0432/2266/3325/files/rubebototazud.pdf
    • https://cdn.shopify.com/s/files/1/0436/2282/6142/files/3557870172.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c65d.bin
1af74f4c161cfb5d0cc97ea2448f44ed323918267c0de3fc53f3a59d61e1c4f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC65D 5620 bytes
font_01_sfnt_off0000d961.bin
5e3fee7ba19ea16b96c9841e5ceb597ecfb2552d0f9f4dec35c554c4852e741e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD961 10976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.