Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1f53f8011ce556d…

MALICIOUS

PDF

45.8 KB Created: 2020-08-09 14:11:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ee34ed1b43334043a6701fe278c0d50 SHA-1: e8875cd3ce2dc9e70e8c90b9111d35e45d80e80e SHA-256: e1f53f8011ce556d68d1a4d355f619e0a9c5dd1cf48f7798140166cb85fce01b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on Shopify. The primary malicious link, https://ttraff.ru/pify?keyword=the+weight+of+glory+cs+lewis+free+pdf, is a known malicious redirector. This suggests the document is designed to distribute malware or lead users to phishing sites by leveraging SEO techniques to disguise malicious content. No scripts were extracted, and the document body is heavily obfuscated.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=the+weight+of+glory+cs+lewis+free+pdf
    • http://files.buckeyehollowchurch.com/uploads/1/3/1/0/131070207/wovut.pdf
    • http://files.vendettamotorsports.com/uploads/1/3/1/3/131380295/jivipigoluxel_mabegilu.pdf
    • http://files.wellingresearchlab.com/uploads/1/3/2/7/132740707/d075bf90f6c.pdf
    • http://pewaw.ichdesigns.com/uploads/1/3/1/8/131871390/lidisenatal-wojepa-rijut.pdf
    • http://files.ashleyjana.com/uploads/1/3/0/9/130969334/7f3cec.pdf
    • https://cdn.shopify.com/s/files/1/0431/5856/9115/files/59083185835.pdf
    • https://cdn.shopify.com/s/files/1/0428/3518/1734/files/70556653844.pdf
    • https://cdn.shopify.com/s/files/1/0440/0077/2254/files/dizoxu.pdf
    • https://cdn.shopify.com/s/files/1/0429/9912/0033/files/96298197525.pdf
    • https://cdn.shopify.com/s/files/1/0438/8972/1496/files/dictionary_of_public_administration.pdf
    • https://cdn.shopify.com/s/files/1/0437/7765/4935/files/certificate_of_origin_form.pdf
    • https://cdn.shopify.com/s/files/1/0432/5254/7739/files/ramisufo.pdf
    • https://cdn.shopify.com/s/files/1/0429/8578/3455/files/juxosu.pdf
    • https://cdn.shopify.com/s/files/1/0437/5235/8042/files/94799375362.pdf
    • https://cdn.shopify.com/s/files/1/0434/8382/4294/files/71565129977.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000756d.bin
c49d514f86a00ca0e18840edd7b6b18db153e093349892a0f858bc91fa120943		 pdf-font-stream PDF embedded font (sfnt) at offset 0x756D 5348 bytes
font_01_sfnt_off000087be.bin
aa1527cf49d2c5a3ce96f3c9fd97e7d407e1c7120ae9499c3f794091e1a91af8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87BE 10208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.