Malicious PDF — malware analysis report

Static analysis result for SHA-256 f624a3e4e19453e4…

MALICIOUS

PDF

46.1 KB Created: 2020-08-29 01:23:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 688522c26003cb8d79f9773924372447 SHA-1: a094281c2afcf2e8208cfd1993728c00df6b72c0 SHA-256: f624a3e4e19453e4c36897f018dc1bcf706991c83a753cf2fba5238073705ad5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm and a critical heuristic firing for a malicious redirector. The document body, though heavily garbled, contains text suggesting a lure related to 'Pablo Escobar' and the malicious URL. The primary malicious URL is ttraff.ru, which is known to host redirectors. The PDF also contains numerous links to shopify.com, likely part of a link farm to improve search engine ranking for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=descargar+pablo+escobar+el+patron+de
    • https://cdn.shopify.com/s/files/1/0429/5042/6780/files/71415126691.pdf
    • https://cdn.shopify.com/s/files/1/0429/2398/3015/files/84207001129.pdf
    • https://cdn.shopify.com/s/files/1/0438/4574/6838/files/9407643671.pdf
    • https://cdn.shopify.com/s/files/1/0429/3656/5923/files/vumixufux.pdf
    • https://cdn.shopify.com/s/files/1/0432/9318/0070/files/48735203949.pdf
    • https://cdn.shopify.com/s/files/1/0432/0044/6626/files/zodetarapepa.pdf
    • https://cdn.shopify.com/s/files/1/0438/0003/5485/files/fovol.pdf
    • https://cdn.shopify.com/s/files/1/0438/2756/0598/files/devil_s_advocate_book_karan_thapar_free.pdf
    • https://cdn.shopify.com/s/files/1/0434/8674/0646/files/fundamentals_of_cost_accounting_4th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0435/0840/0280/files/algebra_equations_worksheet.pdf
    • https://static.usrfiles.com/ugd/b8c837_3367e658e42746dfaa533ddcfa22ec36.pdf
    • https://static.usrfiles.com/ugd/b8c837_6f31e5b92342443bbf0fd6b95516c983.pdf
    • https://static.usrfiles.com/ugd/b8c837_434ccc9b8f9e4b3ba382b2214af7b011.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d96.bin
28d0b1b46630ed637c3e86e735be03bd5102faef452b66c4fc461839ae2a76e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D96 5380 bytes
font_01_sfnt_off00006fde.bin
b06ebfc31630d49cded6b7170d0bc54ee7d375fd5700c511c46e70a4c437b79e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FDE 11072 bytes
font_02_sfnt_off00009443.bin
f5dc0604138e793d9c73a6fcfd7242a7d0fce5cadd585302060b06131659a494		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9443 16288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.