Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed4a55cc5fa964a4…

MALICIOUS

PDF

45.3 KB Created: 2020-07-28 03:21:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74b067ca50796222105cf95c3ed246fd SHA-1: a1521aa50fb530bbc0018f95ed4e571bf945d07b SHA-256: ed4a55cc5fa964a4bfedf2ad42402cf727a37a6afc4e30625c3228ac1db90b7a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one heuristic specifically identifying it as a 'PDF_SEO_LINK_FARM'. The primary malicious URL identified is 'https://ttraff.ru/pify?keyword=bsnl+stv+karnataka+pdf', which is flagged as a malicious redirector. The document body is heavily obfuscated, preventing a clear understanding of its content, but the presence of numerous links strongly suggests a malicious intent, likely for phishing or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bsnl+stv+karnataka+pdf
    • http://files.heatherpotten.com/uploads/1/3/1/4/131454297/2610721.pdf
    • http://files.abitleftandabitlost.com/uploads/1/3/0/7/130740073/e90f494.pdf
    • http://files.wsuchallenge.org/uploads/1/3/0/7/130775912/lulojunilovu.pdf
    • http://files.mcclellandcollegemusic.com/uploads/1/3/0/7/130740012/9047269.pdf
    • http://files.abitleftandab
    • https://cdn.shopify.com/s/files/1/0431/1161/2572/files/nazexiv.pdf
    • https://cdn.shopify.com/s/files/1/0433/9607/1578/files/38318552407.pdf
    • https://cdn.shopify.com/s/files/1/0430/7098/0247/files/59604106364.pdf
    • https://cdn.shopify.com/s/files/1/0428/6211/7031/files/lisezefijirelubufisole.pdf
    • https://cdn.shopify.com/s/files/1/0433/9197/5580/files/jupatufef.pdf
    • https://cdn.shopify.com/s/files/1/0429/1136/7331/files/4052217985.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/wifufokamavobopizevotug.pdf
    • https://cdn.shopify.com/s/files/1/0431/2658/7549/files/reluzarofexabuvejaxulur.pdf
    • https://cdn.shopify.com/s/files/1/0431/1102/2756/files/81723002077.pdf
    • https://cdn.shopify.com/s/files/1/0440/2439/7989/files/7334839442.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/sivezijikok.pdf
    • https://cdn.shopify.com/s/files/1/0434/6147/6504/files/30414417460.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000748e.bin
f73100987559c25ec6a4b40c8799559e995679688b0172072613830c08304651		 pdf-font-stream PDF embedded font (sfnt) at offset 0x748E 4720 bytes
font_01_sfnt_off0000849b.bin
9f7f0bf538392fda42d3d13a853db63a18121f0fcbf5ca1cdf784cf5cca79818		 pdf-font-stream PDF embedded font (sfnt) at offset 0x849B 10384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.