Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3a73627fa5da73a…

MALICIOUS

PDF

36.3 KB Created: 2020-08-22 23:03:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d6f190382e5f053fe5ec667ff43e0722 SHA-1: ed9af0bdd5dd347b70ae84a16a5b54f1ed51a039 SHA-256: f3a73627fa5da73ab82cf3ae0d925dfcbdbe226ad7b26e883fc1056a5b5ff660
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links to external PDFs, some hosted on Shopify. The presence of a visual download button lure further supports the malicious intent. The document body contains obfuscated text and the malicious URL, suggesting a phishing or redirection attempt.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=bloody+roar+2+android+iso
    • http://files.medisysprepares.org/uploads/1/3/0/8/130874668/gufisigibir.pdf
    • http://jisafi.imaginerespiteservices.com/uploads/1/3/2/3/132303382/favuwujumewi_buzorusube.pdf
    • https://cdn.shopify.com/s/files/1/0434/7969/5517/files/water_supply_and_sanitary_engineering_by_rangwala.pdf
    • https://cdn.shopify.com/s/files/1/0432/8715/0752/files/37281268960.pdf
    • https://cdn.shopify.com/s/files/1/0433/6254/9910/files/mexutevuzamoxujip.pdf
    • https://cdn.shopify.com/s/files/1/0435/9222/0840/files/duriwaroxer.pdf
    • https://cdn.shopify.com/s/files/1/0434/5636/4711/files/91165203886.pdf
    • https://cdn.shopify.com/s/files/1/0431/6063/3504/files/15954235781.pdf
    • https://cdn.shopify.com/s/files/1/0436/0211/6772/files/38296685420.pdf
    • https://cdn.shopify.com/s/files/1/0434/6154/2054/files/64430256713.pdf
    • https://cdn.shopify.com/s/files/1/0431/7757/4562/files/35363834925.pdf
    • https://cdn.shopify.com/s/files/1/0433/7532/9441/files/how_to_get_silk_touch_in_minecraft.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004f52.bin
3a50a1deb7f389d6db41b0a87f9799c55a2a3b1703d758a9b59f75c607599fe2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F52 5100 bytes
font_01_sfnt_off000060bb.bin
b3e04c94abeab0bfdbe44263dba0eed2caa3020ce15d8e690e0b69478c713c47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60BB 10560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.