Malicious PDF — malware analysis report

Static analysis result for SHA-256 d92203eff4254a17…

MALICIOUS

PDF

138.0 KB Created: 2020-08-12 10:44:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43a3ddb573e5b9c72144514d366a0786 SHA-1: e5892a756127e1e9252a2aa7d2c0d66fa1befecf SHA-256: d92203eff4254a1702f762f2aab1cae6f94f7a5bc4cdf07e66436707bcd0cfc3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded links that point to a known malicious redirector infrastructure, specifically 'ttraff.ru'. The document body, though heavily obfuscated, contains a reference to the same URL, suggesting it's the primary lure. The PDF also exhibits characteristics of a link farm, with numerous external links, likely for SEO manipulation to attract victims.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=saint+augustine+of+hippo+pdf
    • http://files.fullerevents.com/uploads/1/3/1/3/131379456/3513327.pdf
    • http://files.thecbhsa.org/uploads/1/3/1/4/131437657/5a68427e8b2937.pdf
    • http://buwapi.fietstaxischeveningen.nl/uploads/1/3/1/3/131383544/mutunox.pdf
    • http://files.armadalecoc.com/uploads/1/3/2/7/132710679/lekukomaxo.pdf
    • https://cdn.shopify.com/s/files/1/0449/7919/1966/files/6973461782.pdf
    • https://cdn.shopify.com/s/files/1/0428/2118/9788/files/6298191697.pdf
    • https://cdn.shopify.com/s/files/1/0430/8523/4338/files/lededuvij.pdf
    • https://cdn.shopify.com/s/files/1/0429/9299/2410/files/apex_programming_books.pdf
    • https://cdn.shopify.com/s/files/1/0429/2670/2755/files/mabidegumuwarilabipanex.pdf
    • https://cdn.shopify.com/s/files/1/0436/6408/1046/files/jorge_basadre_libros.pdf
    • https://cdn.shopify.com/s/files/1/0437/5108/0085/files/nunabu.pdf
    • https://cdn.shopify.com/s/files/1/0429/2483/4975/files/bhavabhuti_books.pdf
    • https://cdn.shopify.com/s/files/1/0428/1221/1359/files/adobe_reader_scan_to_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0440/6460/4310/files/kofanuleputaroduvutamo.pdf
    • https://cdn.shopify.com/s/files/1/0437/6153/3082/files/33795445314.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001db3d.bin
56fd53671d6697c718de9815ff1a088cae3392821b90506bac6fcf510b5f54c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DB3D 5276 bytes
font_01_sfnt_off0001ed2a.bin
b563c6ffb2cd76cc84d37d855ad30027c9c5f66a3248d6455665bd557f1909d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ED2A 14116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.