Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbbc439de5ba013b…

MALICIOUS

PDF

43.1 KB Created: 2020-08-11 16:29:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 51ccc117e3cd7d8eb023585517ded95e SHA-1: 2556e10825cccaab71e4547c7e6df33b3351e6b4 SHA-256: dbbc439de5ba013b4031b39f7ee17f5912d5da5e65e961d2b8d1114568c1cc02
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a malicious redirector link and a large number of external links, indicating a link farm strategy. The document body, though corrupted, contains text related to 'Bseb 10th result 2020 pdf download', suggesting a lure for search engine traffic. The primary malicious URL is https://ttraff.ru/pify?keyword=bseb+10th+result+2020+pdf+download, which likely leads to further malicious content or phishing pages. The combination of a redirector and a link farm points towards SEO abuse for malicious purposes.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bseb+10th+result+2020+pdf+download
    • http://files.teddyweebybear9.com/uploads/1/3/0/7/130775400/mutobesaxukud.pdf
    • http://faroziri.eventfinishers.co.uk/uploads/1/3/0/8/130813612/3217356.pdf
    • http://files.thefarmelement.com/uploads/1/3/1/4/131407424/bifuxakafovur.pdf
    • http://files.techreviewed.xyz/uploads/1/3/1/3/131382700/ruxudefizor-juvadiwefidatot.pdf
    • http://nibojute.bubsbouncers.com/uploads/1/3/1/8/131872225/5496707.pdf
    • https://cdn.shopify.com/s/files/1/0431/1629/8393/files/nutuwoxi.pdf
    • https://cdn.shopify.com/s/files/1/0429/9273/0275/files/74518840570.pdf
    • https://cdn.shopify.com/s/files/1/0440/2587/2549/files/south_park_ectoplasm.pdf
    • https://cdn.shopify.com/s/files/1/0432/8488/9758/files/juxofibibula.pdf
    • https://cdn.shopify.com/s/files/1/0430/7389/6602/files/50527311209.pdf
    • https://cdn.shopify.com/s/files/1/0428/4914/0902/files/bubijibifasamokasipef.pdf
    • https://cdn.shopify.com/s/files/1/0430/5593/9733/files/89342461257.pdf
    • https://cdn.shopify.com/s/files/1/0429/4295/5687/files/kogixokepa.pdf
    • https://cdn.shopify.com/s/files/1/0439/3389/2763/files/travelling_salesman_problem_algorithm.pdf
    • https://cdn.shopify.com/s/files/1/0431/5453/8658/files/xaxeselimuguzuximigenax.pdf
    • https://cdn.shopify.com/s/files/1/0430/8746/2551/files/mukebakeruma.pdf
    • https://cdn.shopify.com/s/files/1/0435/6515/4463/files/anticancer_activity_of_catharanthus_roseus.pdf
    • https://cdn.shopify.com/s/files/1/0431/5208/1053/files/salititusubasupabojem.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068a6.bin
2e7d7c15261993c76469de831a45108a85476ee49321425d4bd3d352fc2a7046		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68A6 5736 bytes
font_01_sfnt_off00007c3b.bin
12066f3d19bf9428510c2eef7a210f23c0e0920b924580da8aa7f10b9d2e0268		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C3B 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.