Malicious PDF — malware analysis report

Static analysis result for SHA-256 e410239a3b605f32…

MALICIOUS

PDF

53.3 KB Created: 2020-08-05 16:01:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7016c689b46d672a9a290897b6720c5c SHA-1: 2f1f61e495b21c513fc34d42ba8ec25ef0948539 SHA-256: e410239a3b605f32516cd485950e15748ee7035278d9e5aa2ae45070c9a325f2
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=engineering+drawing+book+pdf+in+english'. This URL is part of a link farm designed to attract users searching for specific PDF content. The document body, though heavily obfuscated, contains references to this URL and other benign-looking Shopify links, likely as a distraction. The presence of a 'SE_LOLBIN_RUN_COMMAND' heuristic suggests the PDF may also contain embedded commands or instructions to execute malicious code, further supporting the malicious intent.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=engineering+drawing+book+pdf+in+english
    • http://files.newcenturyplayers.com/uploads/1/3/1/6/131637014/kinofam_xalagezuruditeg_rabijufabe.pdf
    • http://files.thermotrix.com/uploads/1/3/1/4/131407734/12612e9.pdf
    • http://files.risingartistfestival.com/uploads/1/3/0/7/130775848/7878248.pdf
    • http://files.curlessence.com/uploads/1/3/1/4/131483143/887575.pdf
    • https://cdn.shopify.com/s/files/1/0431/3733/5464/files/75734197959.pdf
    • https://cdn.shopify.com/s/files/1/0435/5247/3252/files/rational_function_domain_and_range.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/87745409623.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/78649322563.pdf
    • https://cdn.shopify.com/s/files/1/0430/0223/2983/files/josexiniremomuwux.pdf
    • https://cdn.shopify.com/s/files/1/0427/5693/1751/files/fefatozeravirujibokux.pdf
    • https://cdn.shopify.com/s/files/1/0433/3764/6245/files/xowemezak.pdf
    • https://cdn.shopify.com/s/files/1/0431/2412/9952/files/lofujabonebenumizomij.pdf
    • https://cdn.shopify.com/s/files/1/0427/9091/2159/files/luwawo.pdf
    • https://cdn.shopify.com/s/files/1/0434/3123/1644/files/8793781368.pdf
    • https://cdn.shopify.com/s/files/1/0434/7772/9432/files/resetting_echo_dot.pdf
    • https://cdn.shopify.com/s/files/1/0437/2171/9959/files/zufuzekorowamiwep.pdf
    • https://cdn.shopify.com/s/files/1/0429/6278/0311/files/vafipadafoj.pdf
    • https://cdn.shopify.com/s/files/1/0435/9749/6488/files/ncert_maths_class_11_solution.pdf
    • https://cdn.shopify.com/s/files/1/0432/2190/9662/files/12664530200.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0432/2190/9662/files/12664

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006219.bin
03a81998c5fb591caa986629a5454d12cba2fc9b3870d54de38748d4791b9e0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6219 5556 bytes
font_01_sfnt_off00007512.bin
026de1076dad6614fee7b4839f066e743e4238b5ddea94259138cfcd618330b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7512 2320 bytes
font_02_sfnt_off00007f64.bin
f13818e2fac29ffd991c5a2f37ffbbdf1a6af0cf8c0c594e3b56d2a7274050cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F64 10408 bytes
font_03_sfnt_off0000a34a.bin
7a7e0f9cb89785dee93ecfbcc78ef93b5a18a5022886c2d5a0bf15d9412c15a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA34A 16224 bytes
font_04_sfnt_off0000b8d2.bin
f33257464b89281f60872e376af49390409e459dc496b76678d017f77cef2c3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB8D2 3632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.