Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6bdae142d337f8e…

MALICIOUS

PDF

43.4 KB Created: 2020-08-23 23:18:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a2e1347b1c7fdb96a42382cf6255328 SHA-1: 56949dd387bc94a9e59178c72e13c5e086c2c8ec SHA-256: d6bdae142d337f8ed8661ae877f4506617f011cd6436e2a52cb3faa3fe686cae
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a lure for a 'free projected cash flow statement template' which is a common tactic for phishing or scam attempts. The document body and heuristics indicate that embedded links, specifically the one to 'ttraff.ru', are designed to redirect users to malicious infrastructure. The presence of numerous other PDF links suggests a link farm or SEO poisoning attempt to increase visibility.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=free+projected+cash+flow+statement+template
    • http://velasi.kenpovideo.com/uploads/1/3/0/7/130740596/fifuvegow_juroxowoli_wazitujofuvabo_rivamejepipazi.pdf
    • https://cdn.shopify.com/s/files/1/0433/6667/8696/files/1416731191.pdf
    • https://cdn.shopify.com/s/files/1/0430/6475/4325/files/wolujitefudowuresa.pdf
    • https://cdn.shopify.com/s/files/1/0431/6394/3074/files/wowozelujuminezixebola.pdf
    • https://cdn.shopify.com/s/files/1/0432/4950/0315/files/gemowedobatigopawoxare.pdf
    • https://cdn.shopify.com/s/files/1/0440/3704/6422/files/sundari_penne_charlie_ringtone.pdf
    • https://cdn.shopify.com/s/files/1/0429/4692/0615/files/hkjc_bet_android_app.pdf
    • https://cdn.shopify.com/s/files/1/0435/7157/6993/files/jifava.pdf
    • https://cdn.shopify.com/s/files/1/0432/1217/7572/files/website_traffic_analysis_report.pdf
    • https://cdn.shopify.com/s/files/1/0430/9454/0452/files/3355043265.pdf
    • https://cdn.shopify.com/s/files/1/0439/1682/0635/files/l_ane_d_or_apule.pdf
    • https://cdn.shopify.com/s/files/1/0429/1877/2903/files/23344554549.pdf
    • https://cdn.shopify.com/s/files/1/0445/3960/9252/files/ejercicios_resueltos_de_analogias_y_distribuciones_numericas.pdf
    • https://cdn.shopify.com/s/files/1/0437/1477/3147/files/tatetagi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a71.bin
386ddbde85abe1fdb8b44a3dd3ba9d89f7a986bd7fe2d580dbc8f115478d410c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A71 5520 bytes
font_01_sfnt_off00007d22.bin
22cf45f3325034c65bdaa7ab759a6d157f4238bf0c1ec6b1eed8e4fa8014ddbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D22 10428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.