Malicious PDF — malware analysis report

Static analysis result for SHA-256 e114f19db35dc4b9…

MALICIOUS

PDF

41.1 KB Created: 2020-08-12 15:51:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bda200808c9d41530c07419fe8777b6 SHA-1: f314fbdabcf6c7bc7a3a04d588f55d84ccdc6cfd SHA-256: e114f19db35dc4b987cfe3183a08e124f03dc1929313c710e960537bf7f27c08
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified as a PDF link farm. One of these links, 'https://ttraff.ru/pify?keyword=budaya+hedonisme+pdf', is flagged as a malicious redirector. The document body, though heavily obfuscated, appears to contain references to the 'budaya hedonisme pdf' keyword, suggesting a lure to a document related to this topic. The primary attack pattern involves redirecting users to malicious infrastructure through these embedded links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=budaya+hedonisme+pdf
    • http://dozuzibak.hansmuerpercussion.com/uploads/1/3/2/6/132681464/7725861.pdf
    • http://guvizi.eisol.my/uploads/1/3/2/3/132303382/xirefopen_zesipofivifuwes.pdf
    • http://files.tangentspole.com/uploads/1/3/0/7/130775402/rarasuxelibi.pdf
    • https://cdn.shopify.com/s/files/1/0432/8947/7273/files/40208445748.pdf
    • https://cdn.shopify.com/s/files/1/0432/2872/5405/files/63816450982.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zukukujumifuxutage.pdf
    • https://cdn.shopify.com/s/files/1/0434/1147/2541/files/likepejemaresus.pdf
    • https://cdn.shopify.com/s/files/1/0431/5843/8039/files/daduxune.pdf
    • https://cdn.shopify.com/s/files/1/0433/8964/9054/files/difirudux.pdf
    • https://cdn.shopify.com/s/files/1/0428/4959/9651/files/vategexolugozarabu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0032/3478/files/20730807902.pdf
    • https://cdn.shopify.com/s/files/1/0431/2668/5858/files/xodebavenog.pdf
    • https://cdn.shopify.com/s/files/1/0434/7301/0850/files/66939248204.pdf
    • https://cdn.shopify.com/s/files/1/0434/0737/6542/files/55042754865.pdf
    • https://cdn.shopify.com/s/files/1/0430/3562/3578/files/dasep.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064dc.bin
7ef53af6091a7f0d251d2dbcc68276dacee34d60fcccfd5b71b8de8c6c98311d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64DC 5304 bytes
font_01_sfnt_off000076ce.bin
79b2af39f60726abc378b5c8f2a5b96abde4c6534af4057bdf62893bb1f581e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76CE 9732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.