Malicious PDF — malware analysis report

Static analysis result for SHA-256 f65e8823a580e58c…

MALICIOUS

PDF

42.7 KB Created: 2020-09-02 01:57:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3eea7f91dd678fdee8ba0bb007657c5c SHA-1: 320e400ea2844c433a285a40018cc02818defe4f SHA-256: f65e8823a580e58cc6c1526a9b66ff9b5fbe52e714c63e706daebf6c80117d51
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is disguised as a search result. This indicates a phishing or social engineering attempt to direct the user to malicious content. The file also contains a large number of embedded links, many pointing to Shopify domains, suggesting a link farm or SEO poisoning tactic to improve search engine ranking for the malicious content. No scripts were extracted, limiting the analysis of further payload delivery mechanisms.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=can+you+play+3ds+games+on+android
    • https://static.usrfiles.com/ugd/eed56f_440ac82c330343a5861a31b6aa7805e6.pdf
    • https://static.usrfiles.com/ugd/493135_e9546ba27074489681d5641221b55b22.pdf
    • https://static.usrfiles.com/ugd/5ed537_10d4e956e01c47c38c28d2f9a9ccacbf.pdf
    • https://static.usrfiles.com/ugd/a421e3_c7abc5c35abb4b7489b37699ea210a9b.pdf
    • https://static.usrfiles.com/ugd/b8c837_84be9afa38154b139808240a5b1dc8c2.pdf
    • https://static.usrfiles.com/ugd/0a0016_1593e211987d4d7895f614a293ee7579.pdf
    • https://cdn.shopify.com/s/files/1/0431/6237/0210/files/19009165746.pdf
    • https://cdn.shopify.com/s/files/1/0429/9508/9559/files/49436730465.pdf
    • https://cdn.shopify.com/s/files/1/0430/9732/5732/files/17303116327.pdf
    • https://cdn.shopify.com/s/files/1/0432/9521/1680/files/status_epilepticus_guidelines_2016_ilae.pdf
    • https://cdn.shopify.com/s/files/1/0436/6375/3369/files/baneteviriw.pdf
    • https://cdn.shopify.com/s/files/1/0429/7120/1699/files/youtube_to_mp3_320_kbps.pdf
    • https://cdn.shopify.com/s/files/1/0438/5135/0166/files/17775367317.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006916.bin
70d207746403e4d80d66bf3c7268d734e7cae85133f15c71d88fcd33c7ace21d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6916 5448 bytes
font_01_sfnt_off00007b8c.bin
431275961d3c8ae4705ad84e09bb8573e87ce1c35dda4c80f87e4428ffd1ee70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B8C 10208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.