Malicious PDF — malware analysis report

Static analysis result for SHA-256 e11db70158ff01fd…

MALICIOUS

PDF

44.4 KB Created: 2020-08-31 05:38:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79ca733fab83e0dd20623cf036d9b698 SHA-1: 459cc6c2d62afb0a7ee450a84cc4f585bdf5fdb8 SHA-256: e11db70158ff01fdc824fec86ab165f31d715c12fe05fa006b6ebd75e01278e9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to obscure malicious destinations. One of these links, 'https://ttraff.ru/wix?keyword=olympus+infinity+jr+rewind', is identified as a known malicious redirector. The document body contains garbled text and metadata indicating it was generated by wkhtmltopdf, suggesting it's not a legitimate document but rather a container for malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=olympus+infinity+jr+rewind
    • https://static.usrfiles.com/ugd/b8c837_17821927c5e34fd98c198a30765cdcdf.pdf
    • https://static.usrfiles.com/ugd/07625c_e4f4414cb14649a793675e162f94afea.pdf
    • https://static.usrfiles.com/ugd/12f4eb_2d4384f51ce549fba20354c4b92bb69e.pdf
    • https://static.usrfiles.com/ugd/a18aa6_a4869694e4774ec2821f1a0e695f43b1.pdf
    • https://static.usrfiles.com/ugd/917232_7ad901fc42e344ea900034f7f5cfc904.pdf
    • https://static.usrfiles.com/ugd/909b15_b9533933851e4cf8923fb3d7a03e0e0f.pdf
    • https://cdn.shopify.com/s/files/1/0430/0842/6147/files/lizulavu.pdf
    • https://cdn.shopify.com/s/files/1/0437/7565/6097/files/66688054905.pdf
    • https://cdn.shopify.com/s/files/1/0437/0418/9096/files/budesonida_con_formoterol_plm.pdf
    • https://cdn.shopify.com/s/files/1/0434/1451/9973/files/wedunaxezamaw.pdf
    • https://static.usrfiles.com/ugd/760101_d6d94dde1a074ab1b93b3442acd16f1e.pdf
    • https://static.usrfiles.com/ugd/4ae4db_7a2cedbb2a7d4ab28b079a82ad721433.pdf
    • https://static.usrfiles.com/ugd/73c254_ec7fbace286a4ac2b7aafb80ef9126c6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f72.bin
ecbb623d5ebc4f5b6c2360f6973ee08ff6e59a1464ce6fddf3bd44082456c7a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F72 5276 bytes
font_01_sfnt_off0000816a.bin
104ff3fbd681a6f9ef5f3f74e2bedae7ed036389c6e5729598967450602b651b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x816A 10456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.