Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9b6142de318d0eb…

MALICIOUS

PDF

40.8 KB Created: 2020-08-21 22:52:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58e20fcab9113298d7fb382d01c5c1d5 SHA-1: d87a4b630defa70fdfd27e741de84e523efd4aa2 SHA-256: e9b6142de318d0ebea6de1f338d1aeca2d87ff60218f27e82d6d8f0503041159
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified as a PDF link farm. One of these links, 'https://ttraff.ru/pify?keyword=nico+hischier+injury+report', points to a known malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The presence of a link farm and a malicious redirector indicates an attempt to drive traffic to malicious infrastructure, likely for further exploitation or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=nico+hischier+injury+report
    • http://rifimuxur.jeffersonpta.org/uploads/1/3/1/3/131380429/5450387.pdf
    • http://files.mattgeer.co.uk/uploads/1/3/0/9/130969748/xokamegosejexuz-kiwijaxefu.pdf
    • https://cdn.shopify.com/s/files/1/0427/8134/3900/files/blackmart_apk_for_android_2._3._6.pdf
    • https://cdn.shopify.com/s/files/1/0437/8463/4530/files/biological_classification_neet_mcq.pdf
    • https://cdn.shopify.com/s/files/1/0434/0780/2531/files/43633942278.pdf
    • https://cdn.shopify.com/s/files/1/0434/7281/4245/files/august_month_current_affairs_2020_bankers_adda.pdf
    • https://cdn.shopify.com/s/files/1/0430/5698/8317/files/zizakikilere.pdf
    • https://cdn.shopify.com/s/files/1/0438/5941/1094/files/resevakazoviluwiwapasika.pdf
    • https://cdn.shopify.com/s/files/1/0434/4184/8470/files/lesotubusod.pdf
    • https://cdn.shopify.com/s/files/1/0434/6642/4477/files/87740151965.pdf
    • https://cdn.shopify.com/s/files/1/0428/5192/6183/files/endress_hauser_promag_50_datasheet.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/52244446143.pdf
    • https://cdn.shopify.com/s/files/1/0430/3156/0354/files/dewafijijomusivubekoz.pdf
    • https://cdn.shopify.com/s/files/1/0460/1774/0967/files/swift_string_interpolation_number_format.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000616a.bin
8bec3ce7a5c0d4da10535bf49662d70027328888fe1dc48f858a7f5695e92c06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x616A 4924 bytes
font_01_sfnt_off00007230.bin
675f4f3b912f21df375dd998c59b3bddc9b1bf55c3578905d28a3cea24427fbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7230 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.