Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee8ce85bbcd7525e…

MALICIOUS

PDF

53.0 KB Created: 2020-08-28 22:23:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 719b4f297bba92c87e64ee157d8e42d5 SHA-1: 1a3895b815327b2bcbdadf74e79b8f2060cce13d SHA-256: ee8ce85bbcd7525efc7b688b518dad93c7f62b475d6aab3aca7074ebc9764e73
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, a common tactic for SEO poisoning and redirecting users to malicious sites. One critical heuristic identified a link to known malicious redirector infrastructure at 'https://ttraff.ru/wix?keyword=bard+of+blood+novel+pdf+free'. The document body, though heavily obfuscated, contains text related to a 'bard of blood novel pdf free' lure, reinforcing the phishing pretext. No scripts were extracted, but the primary attack vector appears to be the malicious redirection link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=bard+of+blood+novel+pdf+free
    • https://cdn.shopify.com/s/files/1/0430/9729/2967/files/wumeni.pdf
    • https://cdn.shopify.com/s/files/1/0428/8184/3356/files/79105343072.pdf
    • https://cdn.shopify.com/s/files/1/0462/3899/0496/files/71267302092.pdf
    • https://cdn.shopify.com/s/files/1/0447/3035/1770/files/key_account_manager_resume.pdf
    • https://cdn.shopify.com/s/files/1/0428/5625/1555/files/44833759160.pdf
    • https://static.usrfiles.com/ugd/b8c837_d67cc1a50274440aa9e2f9275bacda63.pdf
    • https://static.usrfiles.com/ugd/b8c837_e0c235dfc35946d0a1b74cd1f9022525.pdf
    • https://cdn.shopify.com/s/files/1/0465/9501/4821/files/beep_song_free_tamiltunes.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tobilefoseparavako.pdf
    • https://cdn.shopify.com/s/files/1/0428/4848/5535/files/nevesudi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nefodegaxinavikiva.pdf
    • https://cdn.shopify.com/s/files/1/0436/5749/4693/files/lil_wayne_something_you_forgot.pdf
    • https://static.usrfiles.com/ugd/b8c837_44cef91b3e7e4b7b847f258b7b565b86.pdf
    • https://static.usrfiles.com/ugd/b8c837_905e9cdaf7a34985affe289ff31e9f70.pdf
    • https://static.usrfiles.com/ugd/b8c837_0cb7a68ba40f40898af76c2d6bd1c429.pdf
    • https://static.usrfiles.com/ugd/b8c837_9e0823010ef84d159ac91ae40d069f73.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000917b.bin
b05a1b2762e55e849625ee29a98492d312b4e5cb0340230365bdfbee8c40dfb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x917B 5108 bytes
font_01_sfnt_off0000a2ec.bin
907a4e2ddde54e73bd61cef1ea0506aa31b0c5eea24de628141d0513a8241f7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2EC 10512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.