Malicious PDF — malware analysis report

Static analysis result for SHA-256 d63e4a7c8e15615d…

MALICIOUS

PDF

72.9 KB Created: 2020-08-30 10:28:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f8f5faa8d4492173d1f4bec8e3d1b2e SHA-1: 636739033e8b567872c6f40a6a575fa1c4c97502 SHA-256: d63e4a7c8e15615d6ce346da0a52b994f5868323d1d700efa75d8ae8690a14c0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, characteristic of a link farm. One of these links, 'https://ttraff.ru/wix?keyword=morfologia+externa+dos+insetos', is flagged as a malicious redirector. The document body itself is heavily obfuscated and appears to be generated content, likely to mask the malicious links. The primary attack pattern involves luring users to malicious infrastructure through these embedded links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=morfologia+externa+dos+insetos
    • https://cdn.shopify.com/s/files/1/0435/1806/6842/files/jonathan_tennent_child_of_rage.pdf
    • https://cdn.shopify.com/s/files/1/0464/8904/3112/files/airline_tycoon_evolution_manual_test_codes.pdf
    • https://cdn.shopify.com/s/files/1/0429/3158/5180/files/xowibinirodatutegavemix.pdf
    • https://cdn.shopify.com/s/files/1/0437/9426/8320/files/rupigiganatagugusiko.pdf
    • https://cdn.shopify.com/s/files/1/0459/3159/3895/files/lagitevogobajafemi.pdf
    • https://cdn.shopify.com/s/files/1/0428/0696/8483/files/9371389248.pdf
    • https://cdn.shopify.com/s/files/1/0432/2413/7890/files/wadusegopetaxevikuvif.pdf
    • https://static.usrfiles.com/ugd/b8c837_7600b00ee34841ea871ac60a9762bf49.pdf
    • https://static.usrfiles.com/ugd/5360f8_a60d7e21878b44b4a887e5d75d0a67a2.pdf
    • https://static.usrfiles.com/ugd/b8c837_dd6b989234fb4b62b9efc3dbff31a08e.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ecdb13adb7c4b1888c2f9531758d173.pdf
    • https://static.usrfiles.com/ugd/b4a829_0453676c5aca491ebadf63acbdb621b3.pdf
    • https://static.usrfiles.com/ugd/bf650e_e912f611b36b476a80fcd6295030df76.pdf
    • https://static.usrfiles.com/ugd/ca32a8_3ef5be323f454fc9b0f03611ce1237e3.pdf
    • https://static.usrfiles.com/ugd/b8c837_71205bbc53eb4b099c60c9424b31e795.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db63.bin
4d0a466ff5dabfb665e61705dcc0a6e4b64d2e6b182bf809cb6fccfaf60ef51e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB63 5148 bytes
font_01_sfnt_off0000ed04.bin
d4618d1d399ec11151f55064e42746ea217fa9b58065268b306495fcadfa2e00		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED04 13388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.