Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5505a89c29929e0…

MALICIOUS

PDF

34.9 KB Created: 2020-08-30 20:13:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 406bd4d6bc6b937ae2af04aa032a5300 SHA-1: 26713040aee663bc7966b2705dcb1876a90a3ee3 SHA-256: d5505a89c29929e048355ea2d631807b46c9a294be846e2a59e74e63248c22f5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF file contains a "Pastors evaluation form" lure and embeds a large number of links. One of these links, https://ttraff.ru/wix?keyword=pastors+evaluation+form, is identified as a malicious redirector. The PDF also exhibits characteristics of a link farm, with 22 external PDF links, many hosted on cdn.shopify.com, suggesting an attempt to manipulate search engine results or distribute further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=pastors+evaluation+form
    • https://cdn.shopify.com/s/files/1/0431/3061/8011/files/gepezijiga.pdf
    • https://cdn.shopify.com/s/files/1/0436/0749/0717/files/admit_card_icai_may_2019.pdf
    • https://cdn.shopify.com/s/files/1/0429/7195/5351/files/importancia_de_la_logistica_y_cadena_de_suministro.pdf
    • https://cdn.shopify.com/s/files/1/0434/4312/6438/files/telegram_stickers_18.pdf
    • https://cdn.shopify.com/s/files/1/0430/1520/9123/files/daxazuxekezidukumivojur.pdf
    • https://static.usrfiles.com/ugd/b8c837_fc0a1e00c05c47cbb3a4919759a81a06.pdf
    • https://static.usrfiles.com/ugd/b5472a_c7c527b06dc34dcd83e189a1a3800427.pdf
    • https://cdn.shopify.com/s/files/1/0431/9074/7295/files/megizafewiwesane.pdf
    • https://cdn.shopify.com/s/files/1/0428/3976/9254/files/citibank_santa_barbara_state_street.pdf
    • https://static.usrfiles.com/ugd/5a1791_47f99744a40e429390e661477b6aeb22.pdf
    • https://static.usrfiles.com/ugd/b8c837_b458b3bc71f041ed8de160528ca3fe6f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d2c.bin
c62dc6060e87dac402755aba474ebbe36f759a573c04e58affe374320c3addc7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D2C 4972 bytes
font_01_sfnt_off00005e00.bin
49f25e7dcfae704d0d1a031c6e114fa5bd754d4ec235efb93d80fdf9c5bb92d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E00 9740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.