Malicious PDF — malware analysis report

Static analysis result for SHA-256 db7e7ebc13baf10e…

MALICIOUS

PDF

51.4 KB Created: 2020-08-08 17:59:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d86571fb1fd1fa666270c22b509fe16a SHA-1: 845ced6c8aa942b1555e42befb72f4b5f5e32c76 SHA-256: db7e7ebc13baf10e8d39adba2b095450afbd7c9ea8d4495db223964991132bfb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059.003 Windows Command Shell

The PDF contains a malicious redirector link and a large number of external PDF links, suggesting a link farm or redirection tactic. The document body also contains a lure to copy/paste content into a shell, indicating an attempt to trick the user into executing commands. The primary malicious URL identified is ttraff.ru.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bullying+solutions+pdf
    • http://vubukel.sebogmbh.com/uploads/1/3/1/4/131453060/gazevaj_reguxupeteditar_vazurugami_zunipoxujaw.pdf
    • http://files.kamachiro.com/uploads/1/3/0/7/130739510/84b37bc0a8ee.pdf
    • http://files.shophazeljames.com/uploads/1/3/1/4/131437285/nigeluxi.pdf
    • https://cdn.shopify.com/s/files/1/0436/0385/3476/files/78210399441.pdf
    • https://cdn.shopify.com/s/files/1/0437/8814/0696/files/30981158567.pdf
    • https://cdn.shopify.com/s/files/1/0433/3859/6510/files/mysql_foreign_key.pdf
    • https://cdn.shopify.com/s/files/1/0430/3791/7335/files/83768280614.pdf
    • https://cdn.shopify.com/s/files/1/0430/9604/7783/files/2442366441.pdf
    • https://cdn.shopify.com/s/files/1/0432/8266/1526/files/25406773839.pdf
    • https://cdn.shopify.com/s/files/1/0450/5151/0936/files/java_8_jdk.pdf
    • https://cdn.shopify.com/s/files/1/0428/3770/4867/files/manopokobogurifupixuja.pdf
    • https://cdn.shopify.com/s/files/1/0431/5886/4028/files/95438666393.pdf
    • https://cdn.shopify.com/s/files/1/0431/7675/5349/files/39129951938.pdf
    • https://cdn.shopify.com/s/files/1/0429/9633/4753/files/git_bash_windows_ssh.pdf
    • https://cdn.shopify.com/s/files/1/0431/6420/5216/files/96106858877.pdf
    • https://cdn.shopify.com/s/files/1/0438/9991/2344/files/android_permission_list.pdf
    • https://cdn.shopify.com/s/files/1/0436/1617/4243/files/7700652749.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007e91.bin
f69010b3a9d7c85271ba15431f2dd5a83c638811768ea166b29b3454c42985e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E91 5052 bytes
font_01_sfnt_off00008ff0.bin
604a943545753c7b988a3c1278425c277e2a8fad3ec570f4462f9cf4bcbdfc9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FF0 15960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.