Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4d3c59698363a6b…

MALICIOUS

PDF

94.3 KB Created: 2020-08-18 14:49:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cd2a8857450c67cddc26e090cee73a79 SHA-1: 05fd91fe5bd1852c08f66ebf9e8947e7efb526e1 SHA-256: e4d3c59698363a6be3cf4f9f3a372ebea5c5a1953dde479de7ddbeac3c56bede
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains a heuristic indicating it is a malicious redirector link, specifically pointing to 'https://ttraff.ru/pify?keyword=cascading+style+sheet+syntax+in+html'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, including one hosted on Shopify. The document also employs a social engineering lure, instructing the user to install a browser extension or update to view content, which is a common tactic for credential theft or malware installation. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=cascading+style+sheet+syntax+in+html
    • http://files.promablocks.com/uploads/1/3/1/1/131164488/94339d54b701ff.pdf
    • http://files.pshigodagirlsfarm.com/uploads/1/3/0/8/130815137/gonikalugazav-safirewoj-jafazebum.pdf
    • http://files.imagine2020expo.com/uploads/1/3/0/8/130874097/19aee.pdf
    • http://files.republicoftexans.com/uploads/1/3/0/7/130775825/8330047.pdf
    • http://files.honorflowers.com/uploads/1/3/1/4/131413766/viriboz.pdf
    • https://cdn.shopify.com/s/files/1/0435/9297/4499/files/actividades_de_la_defensa_nacional.pdf
    • https://cdn.shopify.com/s/files/1/0434/6737/4758/files/tajur.pdf
    • https://cdn.shopify.com/s/files/1/0437/6972/5080/files/sojupaxudejufube.pdf
    • https://cdn.shopify.com/s/files/1/0434/0567/2597/files/tajaxetenupiwafufivoxotek.pdf
    • https://cdn.shopify.com/s/files/1/0431/7783/6702/files/91812739920.pdf
    • https://cdn.shopify.com/s/files/1/0432/3491/8558/files/sepewuvonulesizur.pdf
    • https://cdn.shopify.com/s/files/1/0440/8855/7718/files/types_of_communication_with_references.pdf
    • https://cdn.shopify.com/s/files/1/0435/8910/7869/files/87556482493.pdf
    • https://cdn.shopify.com/s/files/1/0438/2054/8253/files/96125990392.pdf
    • https://cdn.shopify.com/s/files/1/0429/1674/1283/files/fury_prot_build.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vibemegabixowosepabotabux.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000110c9.bin
78fb98e7323242022919b7fdb9f13ea3d9e2e233da3c91937e0b21eae1c01027		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110C9 5332 bytes
font_01_sfnt_off000122c5.bin
734cb9bc4b870b324f646f219bc1054dcf4fd1caf714aae25dca4bdd7438dfa5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122C5 16544 bytes
font_02_sfnt_off00015630.bin
2c5f1a2e3d9f683f6a217a47aeaaae813f7d4ef732a5ff54a929695507d09140		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15630 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.