Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9e50721e965d250…

MALICIOUS

PDF

52.1 KB Created: 2020-08-31 03:23:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6908fda0758099913729ef0655034695 SHA-1: 17ecb2cda5c49a199f8c45dba789b522d0983287 SHA-256: e9e50721e965d250bae189c5643ee1baf8636aaf84ca7dca3d5cd6a95d8ddba0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=medicinal+chemistry+pharmacy+notes+p'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, including one to 'https://cdn.shopify.com/s/files/1/0438/4115/9333/files/toro_snowblower_won_t_start.pdf'. The document body, though heavily obfuscated, contains these URLs, suggesting the primary intent is to redirect the user to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=medicinal+chemistry+pharmacy+notes+p
    • https://cdn.shopify.com/s/files/1/0438/4115/9333/files/toro_snowblower_won_t_start.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/67062005494.pdf
    • https://cdn.shopify.com/s/files/1/0457/8099/2166/files/55959534605.pdf
    • https://cdn.shopify.com/s/files/1/0432/4989/3531/files/liletekef.pdf
    • https://cdn.shopify.com/s/files/1/0428/8705/3475/files/10182164981.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rejupabofutub.pdf
    • https://cdn.shopify.com/s/files/1/0429/5757/0207/files/13866549402.pdf
    • https://cdn.shopify.com/s/files/1/0432/9072/2454/files/esxi_web_client_url.pdf
    • https://cdn.shopify.com/s/files/1/0432/4907/4340/files/soxezemukugabod.pdf
    • https://cdn.shopify.com/s/files/1/0430/2897/1681/files/wavirilixit.pdf
    • https://cdn.shopify.com/s/files/1/0430/7025/9357/files/1665708803.pdf
    • https://cdn.shopify.com/s/files/1/0430/9273/8201/files/frontline_commando_ww2_for_pc_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/9802/1793/files/cash_flow_forecast_template.pdf
    • https://cdn.shopify.com/s/files/1/0429/2768/5798/files/tavojeregu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000084a2.bin
ee6990d3b0a69e595be46f10f563d3947b4acecd16d972918eb72145b160a106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84A2 5420 bytes
font_01_sfnt_off000096e2.bin
3865b5c33238d3d21c7f5beae5f40bdd9de3de3c15f82c2bdf3d1efb455f82f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96E2 14280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.