Malicious PDF — malware analysis report

Static analysis result for SHA-256 d384ba91c1e085d3…

MALICIOUS

PDF

41.7 KB Created: 2020-09-01 03:53:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5442c5bbb3bc075380ae18f7e62ab6ad SHA-1: 4de410cc7a519af2e28d1799628fb085d1b5b4a5 SHA-256: d384ba91c1e085d3a1f657ed696c12dcab870f4f7e131e4642a2a751d56b6fdf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to shopify.com, but one critical link redirects to ttraff.ru. This indicates a link farm designed to obscure the final malicious destination. The primary malicious URL is ttraff.ru, which is flagged as a malicious redirector. The document body contains garbled text but also includes the target URL and benign-looking PDF links, suggesting a lure to disguise the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=sequin+formal+gowns+for+sale
    • https://cdn.shopify.com/s/files/1/0433/3905/5258/files/60941027610.pdf
    • https://cdn.shopify.com/s/files/1/0457/8073/0012/files/ladexetexoxigisiludage.pdf
    • https://cdn.shopify.com/s/files/1/0435/6574/4287/files/rulebo.pdf
    • https://cdn.shopify.com/s/files/1/0428/2354/9094/files/mafozajerikozegikopetafaw.pdf
    • https://cdn.shopify.com/s/files/1/0432/5238/3904/files/sufinuwutepevewenek.pdf
    • https://cdn.shopify.com/s/files/1/0434/1753/4629/files/zonimebudejisid.pdf
    • https://cdn.shopify.com/s/files/1/0429/6700/7386/files/32808002317.pdf
    • https://cdn.shopify.com/s/files/1/0432/8813/3787/files/52047742827.pdf
    • https://static.usrfiles.com/ugd/15ebe2_3d9bf50432d34101884488a911e8ed0a.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_2e8bf17b7cb2422faf3726543587c572.pdf
    • https://static.usrfiles.com/ugd/1f6d71_d3d483f3781d47429eb836239dc8bcdf.pdf
    • https://static.usrfiles.com/ugd/b8c837_5c5d0e8ef8cc449fb11bb7d577dc25a8.pdf
    • https://static.usrfiles.com/ugd/b8c837_92285239dda64af3bd69be43a5aa0015.pdf
    • https://static.usrfiles.com/ugd/b8c837_7910ecf8492747a98f9ddf053568d30e.pdf
    • https://static.usrfiles.com/ugd/82e28d_079889c7b6c34a0d9affd06cc7f5c2d0.pdf
    • https://static.usrfiles.com/ugd/3ab5ed_97bcefe8e9a84f90bb3398b3e9494a2c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063c8.bin
8d71334716eb9d6f3ce561967d5035c8934256cc20dca6eb09e4fb4a01c906cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63C8 5408 bytes
font_01_sfnt_off00007627.bin
c4a946cac4477630b6b845cdd6cc109f3e65fafd0024026f6c3408f42a7739a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7627 10468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.