Malicious PDF — malware analysis report

Static analysis result for SHA-256 d90a2c15a3ebd138…

MALICIOUS

PDF

39.9 KB Created: 2020-08-15 06:53:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 67cd3f0c5bd4db00da21531c6b91e78d SHA-1: e8cc0737a3b6f07c25d79c5bb9f67a81c7e08a2f SHA-256: d90a2c15a3ebd138635ae0f610fb3842fe30e0a47eaafaa45059995b8c8a1cf6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, a common tactic for SEO link farms and phishing campaigns. One of the embedded links, https://ttraff.ru/wb?keyword=modernism/postmodernism%20peter%20brooker%20pdf, is identified as a known malicious redirector. The presence of numerous links, including those pointing to external PDFs, suggests an attempt to manipulate search engine results or lure users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=modernism/postmodernism%20peter%20brooker%20pdf
    • http://lifafewi.breaksticks.pitbullhill.com/uploads/1/3/0/7/130775997/86d21a448a3.pdf
    • http://fomanew.vipercussion.org/uploads/1/3/1/6/131637881/tolipimibaju-gifipitowudefim-zowovux.pdf
    • https://cdn.shopify.com/s/files/1/0432/9167/2736/files/sudoxogebinulewafuza.pdf
    • https://cdn.shopify.com/s/files/1/0427/4028/5607/files/kisabuf.pdf
    • https://cdn.shopify.com/s/files/1/0440/6195/0117/files/42191090616.pdf
    • https://cdn.shopify.com/s/files/1/0430/0223/2983/files/37953594857.pdf
    • https://cdn.shopify.com/s/files/1/0437/4275/7029/files/33966414848.pdf
    • https://cdn.shopify.com/s/files/1/0430/0649/2823/files/didisimofebukapemo.pdf
    • https://cdn.shopify.com/s/files/1/0428/0313/4627/files/norazerutegav.pdf
    • https://cdn.shopify.com/s/files/1/0434/8228/4194/files/kowapugazuxoledi.pdf
    • https://cdn.shopify.com/s/files/1/0440/1466/5886/files/152216060.pdf
    • https://cdn.shopify.com/s/files/1/0437/6212/2903/files/75997441266.pdf
    • https://cdn.shopify.com/s/files/1/0429/5219/6249/files/minecraft_pe_0._13._0_mods.pdf
    • https://cdn.shopify.com/s/files/1/0427/7259/4844/files/93555500816.pdf
    • https://cdn.shopify.com/s/files/1/0434/0563/9836/files/88707369689.pdf
    • https://cdn.shopify.com/s/files/1/0431/4021/9034/files/nags_head_north_carolina_weather.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e17.bin
c1c778198d8a71fa47071b3fd7fb29abff9a5f2f6f2760a66db065a72bf46e81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E17 5188 bytes
font_01_sfnt_off00006fb6.bin
53282cf2dd54b193688e26d027c561fb9a918c0f78d2291935dc394397b4425d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FB6 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.