Malicious PDF — malware analysis report

Static analysis result for SHA-256 dfd5357f11e85fd5…

MALICIOUS

PDF

34.7 KB Created: 2020-07-25 08:10:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 852b8564797dfc0b3976cf4ee44cab7b SHA-1: 25200a2cc975ea09bb67e044084cba830ce6c256 SHA-256: dfd5357f11e85fd534ba37e6699708e6fa64edbc8247f01be48be225e429e8a9
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

This PDF document is designed as a lure, presenting itself as an 'Agri fab sprayer manual' but containing only an image and a malicious link. The PDF_IMAGE_LURE heuristic indicates it's an image-only document with an action trigger. The PDF_MALICIOUS_REDIRECTOR_LINK heuristic confirms it points to known malicious infrastructure at ttraff.ru. Additionally, the PDF_SEO_LINK_FARM heuristic shows it's part of a link farm, likely to improve search engine ranking for malicious content. The primary IOC is the redirector URL, which is likely the entry point for a phishing or malware delivery chain.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 34 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=agri%20fab%20sprayer%20manual
    • http://files.rayonlifestyle.com/uploads/1/3/1/4/131453299/mozirirabezejemixumi.pdf
    • http://files.toniaindigohughes.com/uploads/1/3/1/3/131380342/negitonomovevuv-vexizi-vejamovixek.pdf
    • http://files.km1922photography.com/uploads/1/3/2/6/132681307/ce5a4812109ea5.pdf
    • http://files.sjmediation.co.uk/uploads/1/3/2/7/132740594/dopunokalefup_fozerisades_runuzo_salufag.pdf
    • http://files.sjmediation.co.uk/uploads/1/3/2/7/132740594/do
    • https://cdn.shopify.com/s/files/1/0430/9562/1796/files/xoxanokizetutiti.pdf
    • https://cdn.shopify.com/s/files/1/0434/7245/3797/files/62539182686.pdf
    • https://cdn.shopify.com/s/files/1/0432/2977/3982/files/64048938207.pdf
    • https://cdn.shopify.com/s/files/1/0428/0995/0367/files/tonob.pdf
    • https://cdn.shopify.com/s/files/1/0431/9395/8560/files/38799196671.pdf
    • https://cdn.shopify.com/s/files/1/0437/1605/1096/files/xodozudelaroromiziva.pdf
    • https://cdn.shopify.com/s/files/1/0432/1050/6404/files/zuvexuvagi.pdf
    • https://cdn.shopify.com/s/files/1/0434/3624/5142/files/wubuwugamegopamenidifusi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/70945418412.pdf
    • https://cdn.shopify.com/s/files/1/0432/6785/0390/files/97410393846.pdf
    • https://cdn.shopify.com/s/files/1/0432/2502/2621/files/12933486175.pdf
    • https://cdn.shopify.com/s/files/1/0427/4293/9814/files/43894709904.pdf
    • https://cdn.shopify.com/s/files/1/0428/1958/4166/files/91097927732.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/58829080427.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005180.bin
2b0a18c55aeb840e07087c8af87585e4f2fdc95a20af661cf2acc3912179d888		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5180 5144 bytes
font_01_sfnt_off000062e4.bin
c11cc0813a5f6d5dac70d8c521aad5d2d9b17a256240d938caa66b34ec1e4644		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62E4 7944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.