Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3e0dc2999b028a8…

MALICIOUS

PDF

43.1 KB Created: 2020-08-26 23:53:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59f73c9ff7ad29093d411802856fdd40 SHA-1: 89cfcda10db484904505915a00510969fb3e4dd8 SHA-256: d3e0dc2999b028a8cf45c02e6c9f0be91185d499dc306e3139426a8e86edce45
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is disguised with text related to 'how to make tts sing'. This suggests a phishing or social engineering attempt to direct the user to malicious content. The file also exhibits characteristics of a link farm, with numerous embedded links pointing to various domains, many of which are suspicious. No scripts were extracted from this sample, limiting the analysis of its direct execution behavior.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=how+to+make+tts+sing
    • http://sujalo.doloreswhelanswimming.com/uploads/1/3/2/8/132814930/238be8559.pdf
    • http://vitatele.cloudhauz.com/uploads/1/3/0/7/130739430/6220830.pdf
    • http://lipewexet.msbennettart.com/uploads/1/3/1/3/131380591/54f64bbc8eaa.pdf
    • http://files.gruuvtech.com/uploads/1/3/2/8/132814900/721644fcf4dc1d.pdf
    • http://lapavij.rockytopgoldendoodles.com/uploads/1/3/0/9/130969761/dixadekudumom.pdf
    • https://cdn.shopify.com/s/files/1/0437/5805/9671/files/geometric_mean_in_statistics.pdf
    • https://cdn.shopify.com/s/files/1/0437/7939/1646/files/brick_bonds_types_pdf.pdf
    • https://cdn.shopify.com/s/files/1/0431/1361/1413/files/doll_dance_video.pdf
    • https://cdn.shopify.com/s/files/1/0436/9776/6553/files/58526538591.pdf
    • https://cdn.shopify.com/s/files/1/0430/7048/8730/files/dipizejel.pdf
    • https://cdn.shopify.com/s/files/1/0432/4658/3976/files/30282575810.pdf
    • https://cdn.shopify.com/s/files/1/0435/3405/7621/files/ganuvoxi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/72890356131.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f3b.bin
2e7c23aec6e774f5257c8c017f006a0ce133c659b4fd6466eda8ed0356f2a999		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F3B 4996 bytes
font_01_sfnt_off0000703e.bin
c512ee4edbd85b550489af270ee5312804d762c7cc772001817803abaa060b4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x703E 14800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.