Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebf6c9be06d9dd71…

MALICIOUS

PDF

40.5 KB Created: 2020-08-22 01:12:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3a5461f5e3b9752c6954776cb3f9c140 SHA-1: 04f8cb925e3bb5c899d97875b741ceb21201d569 SHA-256: ebf6c9be06d9dd71593132ced67037a28cd47aa5375ed41a8c5f63124b82d30c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a PDF link farm. One of these links, https://ttraff.ru/pify?keyword=mycbseguide+app++apk, is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The presence of a link farm and a malicious redirector indicates a likely phishing or malware distribution attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=mycbseguide+app++apk
    • http://deparid.thebodycoalbury.com/uploads/1/3/1/6/131606938/ruxiviviraxoza-wakuwif-lexetu.pdf
    • http://files.usajjhq.org/uploads/1/3/0/9/130969926/2d6a5a0e0442.pdf
    • https://cdn.shopify.com/s/files/1/0440/8741/0840/files/berger_paint_dealers_price_list.pdf
    • https://cdn.shopify.com/s/files/1/0440/1076/6486/files/customer_service_assessment_test_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0453/9475/5752/files/beginner_s_guide_to_digital_painting_in_photoshop_elements.pdf
    • https://cdn.shopify.com/s/files/1/0437/2883/0632/files/gerunurapa.pdf
    • https://cdn.shopify.com/s/files/1/0431/3848/2332/files/ansible_git_clone.pdf
    • https://cdn.shopify.com/s/files/1/0431/9969/2958/files/30385823986.pdf
    • https://cdn.shopify.com/s/files/1/0435/7862/2111/files/benisupi.pdf
    • https://cdn.shopify.com/s/files/1/0437/1709/9685/files/pujesugefu.pdf
    • https://cdn.shopify.com/s/files/1/0431/0673/0144/files/60913767867.pdf
    • https://cdn.shopify.com/s/files/1/0429/2762/0249/files/sunawapikulef.pdf
    • https://cdn.shopify.com/s/files/1/0434/0868/7269/files/28625284538.pdf
    • https://cdn.shopify.com/s/files/1/0430/5593/9733/files/lubixuwomubivadi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f7f.bin
e1f3c0679848e74cc45446bcd0ca117ec6651f47fb524e3e8686e373c63aadac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F7F 5424 bytes
font_01_sfnt_off0000720a.bin
fc58b37fc6e8eb348c196a828e0337f18a6b7c332a10e970a0c993d19a551bfc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x720A 10404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.