Malicious PDF — malware analysis report

Static analysis result for SHA-256 df20d3d6f6a69773…

MALICIOUS

PDF

46.4 KB Created: 2020-08-29 03:37:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7629f8293263e6475a63ce44523f2be1 SHA-1: 3efb6dbf825100220352d35b1f824cfc483d58df SHA-256: df20d3d6f6a697734bc50087ebe9479baa8a0a00a4841366d9803ff593765df8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a technique often used for SEO poisoning or to redirect users to malicious sites. One critical heuristic firing indicates a direct link to a known malicious redirector infrastructure at 'https://ttraff.ru/wix?keyword=marco+teorico+del+tabaquismo+en+adolescentes'. The document body, though heavily obfuscated, contains this URL, suggesting the primary intent is to lure the user to this external resource.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=marco+teorico+del+tabaquismo+en+adolescentes
    • https://cdn.shopify.com/s/files/1/0438/5089/1424/files/gobugageve.pdf
    • https://cdn.shopify.com/s/files/1/0433/2588/2518/files/72409202688.pdf
    • https://cdn.shopify.com/s/files/1/0431/4903/3627/files/kuwewon.pdf
    • https://cdn.shopify.com/s/files/1/0441/3086/1208/files/fender_guitar_dater.pdf
    • https://cdn.shopify.com/s/files/1/0437/0045/3541/files/jativedujobege.pdf
    • https://cdn.shopify.com/s/files/1/0429/8535/7463/files/tools_for_strengths_based_assessment_and_evaluation.pdf
    • https://cdn.shopify.com/s/files/1/0430/2218/8701/files/58119647240.pdf
    • https://cdn.shopify.com/s/files/1/0431/5385/0524/files/satedumufutuzitoxupe.pdf
    • https://static.usrfiles.com/ugd/b8c837_09df1c41986148b692514e324df8a25e.pdf
    • https://static.usrfiles.com/ugd/b8c837_6c3396a730224ef3be5a2a9c5f2265b8.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc272b27e15f4de58af9a9a24f09f596.pdf
    • https://static.usrfiles.com/ugd/b8c837_c0b45965979a4c90a5296df37cb5cf00.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066e0.bin
e34624d9642e58b276ae54332ed72b709f7b0563dd8a244dc0f90135cedc7d08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66E0 5240 bytes
font_01_sfnt_off00007884.bin
9503e5c96874b9200799349e88ed6aebf72a2a69b522d37339aad8fdc1b78bac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7884 11132 bytes
font_02_sfnt_off00009ca0.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CA0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.