Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1fb6cca87405bec…

MALICIOUS

PDF

37.5 KB Created: 2020-08-16 16:11:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a17f0399ccb796af0e8761c7613eaac6 SHA-1: 6a7515118cfb5cd798c27b6f030c6e4cb645b611 SHA-256: f1fb6cca87405bec7d280426c0014c3914bd4dd9afbbb518670f9a39b1429f5f
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged for containing a malicious redirector link and a large number of external PDF links, suggesting a link farm or SEO abuse tactic. The presence of a visible command execution instruction indicates potential for further malicious activity. The primary malicious URL identified is https://ttraff.ru/pify?keyword=cameraman+ganga+tho+rambabu+songs++320kbps, which is known to host malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=cameraman+ganga+tho+rambabu+songs++320kbps
    • http://tazefa.aliceleon.com/uploads/1/3/1/4/131453416/dexuj.pdf
    • http://files.sydneynewhorizons.org/uploads/1/3/2/7/132710787/lozaratorepu_tatira.pdf
    • http://files.remotecmd.com/uploads/1/3/0/8/130813427/tezovamozoz_vokejavusit_wesapexuvoguxev_rijuvuras.pdf
    • http://files.wycliffelutterworthu3a.org/uploads/1/3/0/7/130738652/b7bd23746.pdf
    • https://cdn.shopify.com/s/files/1/0434/1897/6414/files/b._sc_mathematics_books.pdf
    • https://cdn.shopify.com/s/files/1/0434/6006/7480/files/67278893811.pdf
    • https://cdn.shopify.com/s/files/1/0435/5814/2120/files/34557512245.pdf
    • https://cdn.shopify.com/s/files/1/0433/0127/3755/files/81200213361.pdf
    • https://cdn.shopify.com/s/files/1/0432/6470/4662/files/24187300125.pdf
    • https://cdn.shopify.com/s/files/1/0436/8600/2838/files/disijujulevunavulivu.pdf
    • https://cdn.shopify.com/s/files/1/0432/3095/3627/files/mollifies_crossword_clue.pdf
    • https://cdn.shopify.com/s/files/1/0436/2023/7475/files/xobugosori.pdf
    • https://cdn.shopify.com/s/files/1/0430/8969/0773/files/advanced_transport_phenomena_ramachandran.pdf
    • https://cdn.shopify.com/s/files/1/0445/7899/6383/files/5034885680.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005395.bin
0d2091ad30f6ea95a788dff627ce949628dfba60c36cf425f73310fecef643fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5395 5748 bytes
font_01_sfnt_off000066f0.bin
ec475a0653a73f03293716bc48739547aee62e220e30b946517d2bf6880cbe34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66F0 9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.