Malicious PDF — malware analysis report

Static analysis result for SHA-256 f25a89dc39ec183f…

MALICIOUS

PDF

89.3 KB Created: 2020-07-25 06:27:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 868df5627a8ed47553c2f9906257e2c9 SHA-1: 7e2a86a88cb96b281862c52e4b738f05e8030d39 SHA-256: f25a89dc39ec183fa0d4c0a553efebe7c520148df24e9c10bdafb0c2b3345b07
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is disguised as a search result for a business administration PDF. The file also exhibits characteristics of a link farm, embedding numerous external links, many of which point to Shopify-hosted PDFs. This suggests a campaign focused on SEO poisoning or driving traffic to malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=administracion+de+empresas+koontz+pdf
    • http://files.jewellersguildofgreatersandringham.com/uploads/1/3/0/7/130738632/getozijuzilupa.pdf
    • http://files.stillpointatbeckside.com/uploads/1/3/2/6/132695213/pupidofisejebina.pdf
    • http://files.rightchoicesurrogacy.com/uploads/1/3/2/7/132712217/fimimuluni.pdf
    • http://files.truthserumhottopics.com/uploads/1/3/1/6/131606619/geseparajiga.pdf
    • http://files.neasedance.com/uploads/1/3/1/4/131406337/aa7e9ed2.pdf
    • https://cdn.shopify.com/s/files/1/0434/4807/4405/files/95289714431.pdf
    • https://cdn.shopify.com/s/files/1/0433/4652/6376/files/29872320035.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/perelenunewapufu.pdf
    • https://cdn.shopify.com/s/files/1/0429/6297/6921/files/53155253848.pdf
    • https://cdn.shopify.com/s/files/1/0433/9105/8070/files/xalopa.pdf
    • https://cdn.shopify.com/s/files/1/0431/0545/2193/files/39705726030.pdf
    • https://cdn.shopify.com/s/files/1/0434/7317/4680/files/kugogalotadezad.pdf
    • https://cdn.shopify.com/s/files/1/0428/5064/8223/files/99234573180.pdf
    • https://cdn.shopify.com/s/files/1/0440/0427/8422/files/85241046182.pdf
    • https://cdn.shopify.com/s/files/1/0435/3903/8360/files/89648853515.pdf
    • https://cdn.shopify.com/s/files/1/0440/0830/8886/files/nawapudadulawab.pdf
    • https://cdn.shopify.com/s/files/1/0433/3839/9912/files/tigakikufafinifogakagava.pdf
    • https://cdn.shopify.com/s/files/1/0429/6241/9863/files/88799296127.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011ed3.bin
2ac8c449dceba30f8de1f053d7866aff08868fcd235060881fb5eb1ff6ec11b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11ED3 5160 bytes
font_01_sfnt_off00013042.bin
5df367f3567fba4b52446822ed417dd50ce158e04f7eb43a2b59c39a1699e39f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13042 11364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.