Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbd0bca884d6558a…

MALICIOUS

PDF

45.7 KB Created: 2020-08-31 05:00:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 77a42296a1d8ff931eaaffcedb3547a8 SHA-1: a1eb00c34c83d1a10f063bde6949785b021ee8ba SHA-256: dbd0bca884d6558a79c24e0686ecbba477ac19bc149b174150d5f86608f29765
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one heuristic specifically identifying a malicious redirector. The document body, though heavily obfuscated, contains the text 'A man without a country' and the malicious URL https://ttraff.ru/wix?keyword=a+man+without+a+country, suggesting a lure to a malicious site. The presence of numerous other links to Shopify PDFs indicates a link farm strategy to obscure the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=a+man+without+a+country
    • https://cdn.shopify.com/s/files/1/0433/4963/9327/files/worship_sheet_music_free.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/miveguxuxububepevomozit.pdf
    • https://cdn.shopify.com/s/files/1/0433/5622/5686/files/mezigexidolopigosatek.pdf
    • https://cdn.shopify.com/s/files/1/0432/4491/2802/files/ark_survival_evolved_server.pdf
    • https://cdn.shopify.com/s/files/1/0432/1089/9624/files/lododofemukixujezemukiwar.pdf
    • https://cdn.shopify.com/s/files/1/0431/3173/2132/files/37648165146.pdf
    • https://cdn.shopify.com/s/files/1/0437/8561/7560/files/free_camisole_pattern.pdf
    • https://cdn.shopify.com/s/files/1/0427/9461/4940/files/beginning_spanish_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0430/0128/2711/files/xojap.pdf
    • https://cdn.shopify.com/s/files/1/0431/6299/2795/files/gowapagivawareseretuto.pdf
    • https://cdn.shopify.com/s/files/1/0433/5045/8520/files/28395796153.pdf
    • https://cdn.shopify.com/s/files/1/0434/5636/4709/files/26816272226.pdf
    • https://cdn.shopify.com/s/files/1/0432/8433/2710/files/vincent_price_height.pdf
    • https://cdn.shopify.com/s/files/1/0437/9531/6896/files/the_wanderer_anglo_saxon.pdf
    • https://cdn.shopify.com/s/files/1/0433/9014/0581/files/38257871591.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007668.bin
0bbd3db06bc3bb89c39c03e6397402d7930f23b627705ccf05be2fdcac58e2db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7668 5012 bytes
font_01_sfnt_off00008754.bin
ac2a0036106ccc830c4c3b3248c0d78cb1eb5afad429b0b679f8af7bd502eb83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8754 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.