Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef6cea13b381b4fc…

MALICIOUS

PDF

41.2 KB Created: 2020-08-24 08:12:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9551847feb3e2c90768861ac8dc85be2 SHA-1: fc36b8a65058e6c446272aae8b6f5db6862769d6 SHA-256: ef6cea13b381b4fc9de9f2efa7d9c77443fa82b7ccc764b7fafc79f763eadbf4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged for containing a malicious redirector link and a large number of external PDF links, suggesting a link farm or SEO poisoning tactic. The primary malicious URL identified is ttraff.ru, which is known for redirecting to malicious content. While many Shopify links were present, they were mostly confirmed benign. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the specific lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=data+analysis+examples+pdf
    • http://files.lauriceimani.com/uploads/1/3/1/3/131381422/padivurodu.pdf
    • http://files.thesledshed.net/uploads/1/3/1/3/131380052/5e115717d2e55f.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7287/files/bold_and_determined.pdf
    • https://cdn.shopify.com/s/files/1/0462/7221/7237/files/66598556109.pdf
    • https://cdn.shopify.com/s/files/1/0431/9235/2932/files/aeroplane_landing_video.pdf
    • https://cdn.shopify.com/s/files/1/0461/9121/4743/files/illinois_foreign_corporation_annual_report_instructions.pdf
    • https://cdn.shopify.com/s/files/1/0434/4990/9415/files/gunisevosozopotevevabefe.pdf
    • https://cdn.shopify.com/s/files/1/0430/7766/4929/files/75633211826.pdf
    • https://cdn.shopify.com/s/files/1/0434/0416/5285/files/83291705420.pdf
    • https://cdn.shopify.com/s/files/1/0428/9105/1161/files/73277640039.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006365.bin
cb7739d1ea7ee40da15484e93ee668de36cea6b5dffd4aea21a1be3ffd10b0a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6365 5260 bytes
font_01_sfnt_off0000754f.bin
83d9492aef10086eb4501bcdbbb64dc8524d7ccaa729d34bf71bfc821809d519		 pdf-font-stream PDF embedded font (sfnt) at offset 0x754F 10296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.