Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea58e127617036a8…

MALICIOUS

PDF

42.5 KB Created: 2020-08-20 02:17:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a08d3a8d0adb7f35bb9a58e54eec84f SHA-1: 63cade6bf7030d8ace96ef4ce255bb61e8651c05 SHA-256: ea58e127617036a89d51dafe4ccc7dc92c45c742cdc8a4f16a25342a55804d35
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, with numerous embedded URLs. One critical heuristic identified a link to a known malicious redirector, ttraff.ru, which is likely used to obscure the final malicious destination. The document body contains garbled text but also includes the same malicious URL and a large number of links to PDF files hosted on various domains, including Shopify. This suggests a campaign focused on SEO manipulation or redirecting users to malicious content through a large number of external links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=boy+songs+2019
    • http://files.thesudnickwinepress.com/uploads/1/3/1/6/131606260/68cfd4989d125f.pdf
    • http://molar.pozdolcounseling.com/uploads/1/3/1/4/131438225/jidaku.pdf
    • http://files.thecityoflife.com/uploads/1/3/1/6/131606640/vufamupajifow_zapetivuvibe.pdf
    • https://cdn.shopify.com/s/files/1/0430/4669/9165/files/luweraxumumajesotox.pdf
    • https://cdn.shopify.com/s/files/1/0440/2439/7989/files/dedoxinifemumakuneki.pdf
    • https://cdn.shopify.com/s/files/1/0431/5666/8573/files/20330161328.pdf
    • https://cdn.shopify.com/s/files/1/0428/5435/1015/files/84198317898.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/74523611049.pdf
    • https://cdn.shopify.com/s/files/1/0432/9200/0406/files/fugowejogovatijipirij.pdf
    • https://cdn.shopify.com/s/files/1/0433/2378/5370/files/sapupimujejosis.pdf
    • https://cdn.shopify.com/s/files/1/0435/5024/5028/files/41909053790.pdf
    • https://cdn.shopify.com/s/files/1/0430/8143/3242/files/tekitinoraniwenevuxopotu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069e1.bin
eb574ed643c379bd8246e918ef42d6aea5af135bd9571af58b6cbdd7a47b7ab5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69E1 5148 bytes
font_01_sfnt_off00007b90.bin
f922d327e44c346885273b5fb03398eec0b90e45d07af13f3f20fba2b2913b9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B90 10048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.