Malicious PDF — malware analysis report

Static analysis result for SHA-256 edbea085c53a8903…

MALICIOUS

PDF

40.0 KB Created: 2020-08-31 18:08:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e1eae626fc5da5bedc4d7feaf85888a SHA-1: 8b5f7af1a6f364868e7f1f6659af3a8a17337249 SHA-256: edbea085c53a890334bb9169d690aa65ad0e6664daa5e8e7859e9ef72debc079
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=holiday+office+party+template'. It also exhibits characteristics of a PDF link farm, embedding numerous links, many of which point to benign Shopify domains but are likely used to obscure the malicious redirector. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure for a 'holiday office party template'. No scripts were extracted, but the presence of the malicious redirector and link farm suggests an attempt to direct users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=holiday+office+party+template
    • https://cdn.shopify.com/s/files/1/0434/0409/9740/files/reactions_of_ketones_and_aldehydes.pdf
    • https://cdn.shopify.com/s/files/1/0431/0879/4525/files/31478452152.pdf
    • https://cdn.shopify.com/s/files/1/0427/9618/7815/files/valanaraburefizuludaf.pdf
    • https://cdn.shopify.com/s/files/1/0440/8170/9206/files/sisowimib.pdf
    • https://cdn.shopify.com/s/files/1/0430/4617/4877/files/checkbook_register_app_for_android_tablet.pdf
    • https://cdn.shopify.com/s/files/1/0434/4319/1969/files/kesuzazedufedajiluxorew.pdf
    • https://cdn.shopify.com/s/files/1/0430/2045/1997/files/dolch_sight_words_worksheets_free.pdf
    • https://cdn.shopify.com/s/files/1/0429/7038/2490/files/41461555925.pdf
    • https://cdn.shopify.com/s/files/1/0437/0428/7383/files/winumubuvunuvaguj.pdf
    • https://cdn.shopify.com/s/files/1/0432/1493/0084/files/duplicate_google_sheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006034.bin
edd14af30fee64a52d1cb777acddcb10fdd5bb329f880f128320f93ac75d11f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6034 5184 bytes
font_01_sfnt_off000071d0.bin
4824e3dce765974e8edd756daf9e5de511e331d96f4e14bf97e4362aa303457e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71D0 9952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.