Malicious PDF — malware analysis report

Static analysis result for SHA-256 e05d3f5cf4cba5db…

MALICIOUS

PDF

44.5 KB Created: 2020-08-03 06:46:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a1fcb729a91d011a4b7cb3b5f94a9e4 SHA-1: 7292b83b5908e8037f4621a96f32ec77349eb4e1 SHA-256: e05d3f5cf4cba5dbb3c944a0e71a0c511bde5f70ee74a8f914a2c98104ef8c79
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many pointing to Shopify-hosted PDFs, which is indicative of a link farm. One of these links, https://ttraff.ru/pify?keyword=verilog+register+file, is identified as a malicious redirector. The document body itself is heavily obfuscated and appears to be junk data, suggesting the primary malicious function is to redirect the user to external, potentially harmful, content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=verilog+register+file
    • http://files.upstandingpainandspine.com/uploads/1/3/2/3/132302941/5856107.pdf
    • http://files.ourladyoflourdesharrisonville.org/uploads/1/3/1/3/131383456/2306897.pdf
    • http://files.aaronstarnes.com/uploads/1/3/0/8/130874042/5087019.pdf
    • https://cdn.shopify.com/s/files/1/0439/2160/4763/files/43718425244.pdf
    • https://cdn.shopify.com/s/files/1/0434/6970/1280/files/jikolulow.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dewefezagabujam.pdf
    • https://cdn.shopify.com/s/files/1/0429/8945/3473/files/kusuxaxarikuki.pdf
    • https://cdn.shopify.com/s/files/1/0434/1324/2014/files/dazuwikisojivefikawetilof.pdf
    • https://cdn.shopify.com/s/files/1/0430/9758/7861/files/12155955095.pdf
    • https://cdn.shopify.com/s/files/1/0434/6229/5714/files/10368222990.pdf
    • https://cdn.shopify.com/s/files/1/0440/9524/2392/files/kakomizusuwobet.pdf
    • https://cdn.shopify.com/s/files/1/0427/7121/8588/files/fesedovivodepuxaba.pdf
    • https://cdn.shopify.com/s/files/1/0429/9702/2871/files/famikigo.pdf
    • https://cdn.shopify.com/s/files/1/0429/2762/0263/files/wutezulew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071dd.bin
94d66e4fc993292891813003404f5e61f1e2f66e7e858a4ba4ed18463c0c5008		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71DD 4688 bytes
font_01_sfnt_off000081ef.bin
4e61ce0249ebe64f1cf273b84111c96af0a83598acb2e0a979f8aa410db05307		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81EF 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.