Malicious PDF — malware analysis report

Static analysis result for SHA-256 eddfd79f6a32877b…

MALICIOUS

PDF

40.4 KB Created: 2020-08-30 14:46:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c8e74f85175a2fbc79cdbb24856d0fe SHA-1: d9dac460ee61e1f908d4169713b9e6c9d1cdbcd9 SHA-256: eddfd79f6a32877b02e013ad9336df299e74463f502232ddd4dc5cdc1de71e0a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating it's a malicious redirector. One prominent link, 'https://ttraff.ru/wix?keyword=jesuit+guide+to+almost+everything', is directly associated with malicious redirector infrastructure. Another heuristic identified a PDF link farm, with 'https://cdn.shopify.com/s/files/1/0428/5975/7727/files/gmail_shortcuts_keys.pdf' being the first listed. The document body, though heavily obfuscated, contains references to these URLs, suggesting a social engineering attempt to direct users to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=jesuit+guide+to+almost+everything
    • https://cdn.shopify.com/s/files/1/0428/5975/7727/files/gmail_shortcuts_keys.pdf
    • https://cdn.shopify.com/s/files/1/0430/4420/8797/files/rowigenowenuvalimekidid.pdf
    • https://cdn.shopify.com/s/files/1/0433/6975/8874/files/6905515298.pdf
    • https://static.usrfiles.com/ugd/d775a9_05960dd51a104bf99769cf7ba56f1954.pdf
    • https://static.usrfiles.com/ugd/8b49c6_06e492b400264aa4a001c715b9889adf.pdf
    • https://static.usrfiles.com/ugd/ec0c41_1f28f15d7d924ff4b484320806e46815.pdf
    • https://static.usrfiles.com/ugd/0aab01_56331934cc324405a85c1483d2cbe94c.pdf
    • https://static.usrfiles.com/ugd/b8c837_3297023679d549498317115d8b4c9a26.pdf
    • https://static.usrfiles.com/ugd/b8c837_5efe5833b3c54858ac7df3b96a4a7ffc.pdf
    • https://static.usrfiles.com/ugd/856cea_c658ae4ef3db40e3acce1b1e4cb6adaf.pdf
    • https://static.usrfiles.com/ugd/b8c837_608b274125884702a3938e1ac8db3600.pdf
    • https://static.usrfiles.com/ugd/b8c837_d00699e14d084271a2a4c8d3ad75c5f0.pdf
    • https://static.usrfiles.com/ugd/b8c837_e1602bded29e4b528f853f323498b7be.pdf
    • https://static.usrfiles.com/ugd/b8c837_d6aa5856e65c4a2897197dd5478ca743.pdf
    • https://static.usrfiles.com/ugd/77eba6_4defdf8cd1e648f88ad0af3e349f5ed1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060bb.bin
1d76c42c47f8a8127a3535856584356c9a9715077b64d8881ac820ef21bae8e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60BB 5392 bytes
font_01_sfnt_off000072ed.bin
5372db435aa5acdd2b1996c766c3fab930cbbf066d92295584b748d3bed5e0fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72ED 9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.