Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa49f96efca85900…

MALICIOUS

PDF

49.8 KB Created: 2020-08-30 19:18:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74fe0d5b5f671d5abc4c823611eed655 SHA-1: 2845308134bc922313b40c8c298a56f9b2b07c88 SHA-256: fa49f96efca8590018ec82e5127644ef65cd834aab3b512ebfa9ce74d0402504
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with one specifically pointing to a known malicious redirector at 'ttraff.ru'. This suggests the document is designed to redirect users to potentially harmful websites, possibly for phishing or malware distribution. The presence of numerous other PDF links further supports the idea of a link farm intended to manipulate search engine results or distribute content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=yorkie+puppy+ohio
    • https://cdn.shopify.com/s/files/1/0431/5496/4637/files/39429249507.pdf
    • https://cdn.shopify.com/s/files/1/0430/8893/7120/files/vishnu_purana.pdf
    • https://cdn.shopify.com/s/files/1/0429/0176/6310/files/arm_microcontroller_free_download.pdf
    • https://static.usrfiles.com/ugd/b8c837_f0d1465147984e98a0fc0aa581cad539.pdf
    • https://static.usrfiles.com/ugd/b8c837_3bd5f229bb2d4ace8ce9d91a1189196a.pdf
    • https://static.usrfiles.com/ugd/b8c837_a6b1f197b51947cfb8d0d19ce9cda23c.pdf
    • https://static.usrfiles.com/ugd/b4a829_0bcd2bdd34a849b7b99dcb82fc7ea4cc.pdf
    • https://static.usrfiles.com/ugd/b8c837_c800a2d639294caeb60323729bd83782.pdf
    • https://static.usrfiles.com/ugd/b8c837_f309e07050e64ca5be621a630ff9834f.pdf
    • https://static.usrfiles.com/ugd/b8c837_b84c6da799b543d1a62975f5d6b26b31.pdf
    • https://static.usrfiles.com/ugd/b8c837_434ccc9b8f9e4b3ba382b2214af7b011.pdf
    • https://static.usrfiles.com/ugd/b8c837_00dd6d23b30d4a7fa91d0b87e0244c30.pdf
    • https://static.usrfiles.com/ugd/b8c837_d413f66ba2754318983edc8952c2a461.pdf
    • https://cdn.shopify.com/s/files/1/0430/8510/3255/files/lipugunesibimitaf.pdf
    • https://cdn.shopify.com/s/files/1/0434/6108/3301/files/bimekigonej.pdf
    • https://cdn.shopify.com/s/files/1/0430/5872/5018/files/xijofe.pdf
    • https://cdn.shopify.com/s/files/1/0435/1783/7467/files/42144354281.pdf
    • https://cdn.shopify.com/s/files/1/0435/7731/1391/files/saziwepagow.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054b7.bin
24fd6868f187b5667792517f9f69d22ac5a3de5011d4d3824467392effeade79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54B7 6588 bytes
font_01_sfnt_off00006531.bin
f2152b9cbd06187c077cb27c6e012fa1b1b3f581db1d43a18fb1c960a1ae59eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6531 4612 bytes
font_02_sfnt_off000074db.bin
07e8f345fbc5c21483cd0eee0887f8f4b0e8ebef5f5e182c5632cb034a6436e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74DB 2192 bytes
font_03_sfnt_off00007eee.bin
bfc02fea1a3f77c09949760e350ef6467df7f3557db137f5ed26c03244821e01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EEE 10784 bytes
font_04_sfnt_off0000a3f9.bin
64f21e55c2f29c6f605e8f9fd96e7f7b34f9b4a26fdc717ddead948457370e3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3F9 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.