Malicious PDF — malware analysis report

Static analysis result for SHA-256 f14786c9911a7ec4…

MALICIOUS

PDF

71.9 KB Created: 2020-08-29 08:28:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5de580d3f694685d805cbb888623e713 SHA-1: 13e7540b985d260ecc57fd442cac7b18397a6124 SHA-256: f14786c9911a7ec41fd5a93f1a4e76555306b5ea6d2f9c8f6bc43b897aff585c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating it links to known malicious redirector infrastructure. It also contains a large number of embedded links, many pointing to Shopify domains, suggesting a link farm or SEO poisoning attempt. The primary malicious URL identified is https://ttraff.ru/wix?keyword=d+d+brass+dragon+names, which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this URL, reinforcing its role in the attack. No scripts were extracted, limiting the analysis of specific execution behaviors.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=d+d+brass+dragon+names
    • https://cdn.shopify.com/s/files/1/0435/9510/4418/files/lekaxi.pdf
    • https://cdn.shopify.com/s/files/1/0431/4945/9605/files/wofejodula.pdf
    • https://cdn.shopify.com/s/files/1/0433/8004/8023/files/wijaxavevamunatomadopupim.pdf
    • https://cdn.shopify.com/s/files/1/0435/2281/8212/files/75358366094.pdf
    • https://cdn.shopify.com/s/files/1/0433/0848/2724/files/39230772035.pdf
    • https://static.usrfiles.com/ugd/b8c837_7d3cd954f1da4bada83340c99be8475f.pdf
    • https://static.usrfiles.com/ugd/b8c837_de1879afb99948e58721224126c2868c.pdf
    • https://static.usrfiles.com/ugd/b8c837_51daf907da9847f090bb1f03e0535f51.pdf
    • https://cdn.shopify.com/s/files/1/0437/7542/6722/files/11119450608.pdf
    • https://cdn.shopify.com/s/files/1/0429/3702/4668/files/dunepatus.pdf
    • https://cdn.shopify.com/s/files/1/0431/2868/4701/files/bovomozomizewuj.pdf
    • https://static.usrfiles.com/ugd/b8c837_2a1dcee903664deeb25f85924ca5adc6.pdf
    • https://static.usrfiles.com/ugd/b8c837_84a4c545ef504f52b25e81874ff57296.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce59.bin
cf502429a250ff5925622e9edb8c5d0140837ee144dcc928425386c2575ef94b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE59 5252 bytes
font_01_sfnt_off0000e011.bin
90dacc5c81f311c43e877140baa5edb4fdae6387c40431c415ff563a53323482		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE011 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.