Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1efe9ca2cbbebef…

MALICIOUS

PDF

34.2 KB Created: 2020-08-30 20:09:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4fa630e1c9d3c2d6ad4815db89b2ed0f SHA-1: fb75bdf0d37fd016bff1b46b3d4ce0a69871a9e6 SHA-256: f1efe9ca2cbbebef09f7a149ef20fa9bd008b5f8bb98ccb1707dd25c0e9f710c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its structure, which includes a large number of embedded links to other PDF files, characteristic of a link farm. One of these links, 'https://ttraff.ru/wix?keyword=6.6+meiosis+and+genetic+variation', points to known malicious redirector infrastructure. The document body contains garbled text and metadata indicating it was generated by wkhtmltopdf, suggesting it's not a legitimate document but rather a container for malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=6.6+meiosis+and+genetic+variation
    • https://cdn.shopify.com/s/files/1/0437/4704/9621/files/apk_play_store_pro_apkpure.pdf
    • https://cdn.shopify.com/s/files/1/0430/7389/6602/files/33350877628.pdf
    • https://cdn.shopify.com/s/files/1/0464/5286/7240/files/fare_chart_indian_railway.pdf
    • https://cdn.shopify.com/s/files/1/0433/3977/6159/files/lejijadajawesiwifixelu.pdf
    • https://cdn.shopify.com/s/files/1/0431/8032/7076/files/linux_commands_for_networking.pdf
    • https://static.usrfiles.com/ugd/76156b_d1bbe1ac9aef466a80b859ec6d5546b0.pdf
    • https://static.usrfiles.com/ugd/b8c837_867dfd62903a4df59efb9f9b30a9b231.pdf
    • https://static.usrfiles.com/ugd/b8c837_59343a23c8c142e099bce8d6b319adda.pdf
    • https://static.usrfiles.com/ugd/0d089b_9601c61bd47040c7a0aa0ec002996c00.pdf
    • https://static.usrfiles.com/ugd/625844_99161daf0a7146e6a6d193ca0465c4b0.pdf
    • https://static.usrfiles.com/ugd/b8c837_ef293696e40146b081cc655ead63f4dd.pdf
    • https://cdn.shopify.com/s/files/1/0459/8746/3335/files/hedwigs_theme_recorder.pdf
    • https://cdn.shopify.com/s/files/1/0432/6539/2804/files/five_minute_activities_for_young_learners.pdf
    • https://cdn.shopify.com/s/files/1/0431/2452/3169/files/tabela_carbonatao_forada.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048ee.bin
dc9bc8da30e8527498df9c29a1a16d7e1d3ebb4422f521d3c7e747489a884f46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48EE 5376 bytes
font_01_sfnt_off00005b22.bin
f879bd41b479e916efc3898c5a67101051533b696c46785b3fd617bcc3144ac9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B22 9668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.