Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3d61260b8735864…

MALICIOUS

PDF

53.5 KB Created: 2020-07-28 14:26:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68423fa29584bfd3d9e376b5443a858b SHA-1: 4a25a259a2de9c98d98c7c8c2f893273f87eee85 SHA-256: d3d61260b8735864c7dcbaa1004b75a4768d4fa38f190825da8804e3a41969f2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link that redirects to a known malicious domain, ttraff.ru. The document body, though partially corrupted, suggests a lure related to health guidelines. The heuristic firings confirm the presence of a malicious redirector link and a link farm within the PDF, indicating a phishing or redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=new+guidelines+for+blood+pressure+in+seniors
    • http://files.ladyteeproductions.com/uploads/1/3/2/6/132682134/rivoxifeg.pdf
    • http://files.minichangeyoga.com/uploads/1/3/1/3/131383775/7b510b.pdf
    • http://files.mytridentestates.com/uploads/1/3/2/7/132712206/8239059.pdf
    • https://cdn.shopify.com/s/files/1/0428/4016/2470/files/26914237052.pdf
    • https://cdn.shopify.com/s/files/1/0431/1141/5965/files/notutubefibanafu.pdf
    • https://cdn.shopify.com/s/files/1/0431/5034/4352/files/20272147859.pdf
    • https://cdn.shopify.com/s/files/1/0434/9437/5576/files/xozarawenomopimasixoto.pdf
    • https://cdn.shopify.com/s/files/1/0430/8716/7645/files/woruxazalukojetufax.pdf
    • https://cdn.shopify.com/s/files/1/0429/4325/0588/files/jojar.pdf
    • https://cdn.shopify.com/s/files/1/0431/8658/5749/files/tobori.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/95181885481.pdf
    • https://cdn.shopify.com/s/files/1/0429/8450/5498/files/82391609017.pdf
    • https://cdn.shopify.com/s/files/1/0436/3033/0016/files/78326072566.pdf
    • https://cdn.shopify.com/s/files/1/0431/2340/9057/files/pukomil.pdf
    • https://cdn.shopify.com/s/files/1/0431/0496/0676/files/14147297433.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000094eb.bin
1005a63bfa0f121c307aa8cbca8c96426ec2ab4e93cd48b6936c6e7c8db26191		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94EB 5000 bytes
font_01_sfnt_off0000a5fe.bin
6406204819320408fc90c272a6b76890bc37892f78e7f39f6c45958d2ff66791		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5FE 10132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.