Malicious PDF — malware analysis report

Static analysis result for SHA-256 d441bd43a1bd2684…

MALICIOUS

PDF

48.0 KB Created: 2020-08-08 09:36:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8551a5488455e69bdfca523f9ac8d322 SHA-1: e549f5fcfebec40582efb13dbcaa035c95b95375 SHA-256: d441bd43a1bd26845686f632056c2d3b12a5d4081bbd894b346bd792a6eebe7c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, many hosted on Shopify. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/pify?keyword=berdyaev+slavery+and+freedom+pdf', suggesting a lure to a malicious site disguised as a search result for a PDF.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=berdyaev+slavery+and+freedom+pdf
    • http://files.libera-translations.com/uploads/1/3/1/3/131381602/zalaberes.pdf
    • http://files.creativejuicesboosted.com/uploads/1/3/1/6/131636725/nanuke.pdf
    • http://files.wss1sgradeib.com/uploads/1/3/1/4/131407148/nuluwugebaxidowawuk.pdf
    • https://cdn.shopify.com/s/files/1/0431/6086/2874/files/ikea_pax_catalogue_uk.pdf
    • https://cdn.shopify.com/s/files/1/0428/9436/0743/files/xijini.pdf
    • https://cdn.shopify.com/s/files/1/0433/0127/3768/files/san_agustin_de_hipona_biografia.pdf
    • https://cdn.shopify.com/s/files/1/0431/5797/9304/files/9546622405.pdf
    • https://cdn.shopify.com/s/files/1/0431/5630/8123/files/vilot.pdf
    • https://cdn.shopify.com/s/files/1/0434/5852/7397/files/jukudigolegumal.pdf
    • https://cdn.shopify.com/s/files/1/0430/4103/0293/files/wiguwavagoxew.pdf
    • https://cdn.shopify.com/s/files/1/0437/6359/7473/files/aieee_2020_solutions_download.pdf
    • https://cdn.shopify.com/s/files/1/0439/6898/7294/files/string_to_byte_array.pdf
    • https://cdn.shopify.com/s/files/1/0434/2880/6808/files/22538909630.pdf
    • https://cdn.shopify.com/s/files/1/0432/3622/9277/files/dazisigobawidam.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/87899810879.pdf
    • https://cdn.shopify.com/s/files/1/0430/3123/2674/files/81301326048.pdf
    • https://cdn.shopify.com/s/files/1/0439/1239/6968/files/5162369859.pdf
    • https://cdn.shopify.com/s/files/1/0432/6385/2708/files/all_basic_math_formulas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d42.bin
67e71058dd1e56a8d5d7ae14f51b6c38597c1e645702b2a1ba361e6919b739c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D42 5400 bytes
font_01_sfnt_off00008f9c.bin
a53eaee2e4819a8552844f5f7cc5d56b0814dded8c3d904fee348052c0b12d39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F9C 10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.