Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8209071328271e8…

MALICIOUS

PDF

40.5 KB Created: 2020-08-08 02:57:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8a4680cf15e0bbe9eddc9cff43d917b4 SHA-1: 8f9f27615c4db91f0bcf7fd443e7494597dca950 SHA-256: d8209071328271e8c43453d6bbf5089bfb6676c5b59d9a05d528cc4fbe8488bd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. This URL is presented within the document body, disguised as a link to 'catia v5 training manuals pdf'. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to Shopify domains hosting PDF files. The primary malicious URL is likely used to redirect the user to a site that may host further malicious content or exploit.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=catia+v5+training+manuals+pdf
    • http://files.moundsviewxc.com/uploads/1/3/0/7/130775848/kefokafi-safojivikikalo.pdf
    • http://files.publichealthmuseum.org/uploads/1/3/1/3/131384789/a826b1b39.pdf
    • http://files.architecturalglass.org/uploads/1/3/2/7/132741189/soves_nusosas_jinifurun_gonan.pdf
    • https://cdn.shopify.com/s/files/1/0437/7011/8306/files/vector_calculus_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/5671/7206/files/18434318982.pdf
    • https://cdn.shopify.com/s/files/1/0431/0604/2013/files/kipuf.pdf
    • https://cdn.shopify.com/s/files/1/0432/5166/3012/files/67061001464.pdf
    • https://cdn.shopify.com/s/files/1/0432/2122/1539/files/baka_to_test_light_novel.pdf
    • https://cdn.shopify.com/s/files/1/0434/5639/7464/files/royal_alpha_580_manual.pdf
    • https://cdn.shopify.com/s/files/1/0434/3994/7932/files/9063986568.pdf
    • https://cdn.shopify.com/s/files/1/0434/2287/5813/files/nuzub.pdf
    • https://cdn.shopify.com/s/files/1/0434/0000/3747/files/82468213999.pdf
    • https://cdn.shopify.com/s/files/1/0427/8131/1132/files/12647774091.pdf
    • https://cdn.shopify.com/s/files/1/0430/3178/9721/files/solving_equations_8th_grade.pdf
    • https://cdn.shopify.com/s/files/1/0430/5158/1597/files/linukadadolan.pdf
    • https://cdn.shopify.com/s/files/1/0433/4501/9045/files/zowifupevopadizefew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000606d.bin
6bf99510b88c9ade0d5ef039902821f459c528aa233e06f19cba2a90ffaf11bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x606D 5452 bytes
font_01_sfnt_off000072ed.bin
cba3cf4e6033c2b0322021983bb2041da128c2c152cfccd82fb1db108b05bb29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72ED 10268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.