Malicious PDF — malware analysis report

Static analysis result for SHA-256 e99a7b54c50a5973…

MALICIOUS

PDF

51.2 KB Created: 2020-08-10 19:32:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 866609300e49c91aca51002409856d09 SHA-1: 0cf28548f8fb88b68aac3b623de3bffe00015974 SHA-256: e99a7b54c50a5973be52b7c8e94406b0057bbe7dab537200585e5b99593962ea
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains a URL that appears to be part of a lure. The primary malicious URL identified is https://ttraff.ru/pify?keyword=tutorial+google+classroom+espa%25C3%25B1ol+pdf, which is likely used to redirect the user to a phishing or malware-hosting site. The presence of a large number of external PDF links suggests a link farm used for SEO poisoning or to obscure the true malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=tutorial+google+classroom+espa%25C3%25B1ol+pdf
    • http://files.empressreadings.com/uploads/1/3/0/7/130775795/5721827.pdf
    • http://files.tillylunken.com/uploads/1/3/2/8/132814371/wipopexodedul.pdf
    • http://files.theflightproject.org/uploads/1/3/0/7/130775633/dedivapunexafeb.pdf
    • http://files.mccsignup.com/uploads/1/3/0/8/130814877/1b066c3974576.pdf
    • http://files.clocks4classics.com/uploads/1/3/0/8/130814308/64011f0.pdf
    • https://cdn.shopify.com/s/files/1/0432/8695/4139/files/angina_de_pecho_concepto.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/ruzulutusiwud.pdf
    • https://cdn.shopify.com/s/files/1/0431/7760/7324/files/33442932060.pdf
    • https://cdn.shopify.com/s/files/1/0451/0436/5733/files/libros_de_contaminacion_atmosferica.pdf
    • https://cdn.shopify.com/s/files/1/0429/3387/8940/files/85284286486.pdf
    • https://cdn.shopify.com/s/files/1/0433/5812/6245/files/logosaxu.pdf
    • https://cdn.shopify.com/s/files/1/0427/9838/3260/files/17139041588.pdf
    • https://cdn.shopify.com/s/files/1/0434/0196/9820/files/foxivamujigigixajonisufu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/tokavurovapipemekimisam.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/wiwatubaj.pdf
    • https://cdn.shopify.com/s/files/1/0434/2392/4376/files/mufepe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008776.bin
12472f09230861b0645e61da560731af42299259a8730821a30d00effc41f29e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8776 5636 bytes
font_01_sfnt_off00009a48.bin
2fe1a9e73bb201fcead69c893a80a243d5202ce952da113a12696ff84f62a1e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A48 10336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.