Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb00cf16412be4bb…

MALICIOUS

PDF

40.5 KB Created: 2020-08-19 02:46:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fb05d03267ba3670a8174a09277a187 SHA-1: e441cf20f78df322ff5b993a42b9d96eb20b2a70 SHA-256: fb00cf16412be4bbd1366e455c25f19f122e520e742c26cb4ffadc94c98f59af
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its extensive use of external links, a technique often employed for SEO manipulation or to redirect users to malicious content. One of the embedded URLs, https://ttraff.ru/pify?keyword=android+network+application, is flagged as a known malicious redirector. The document body contains garbled text but includes the same suspicious URL and several other PDF links hosted on Shopify and other domains, some of which are flagged as unknown.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=android+network+application
    • http://tosovuxap.parsonsmanor.com/uploads/1/3/1/4/131406717/883e09865d.pdf
    • http://paxaku.thepropertyamazon.com/uploads/1/3/1/3/131381135/3e4be5da8f.pdf
    • https://cdn.shopify.com/s/files/1/0431/5843/8039/files/enter_the_gungeon_heavy_boots.pdf
    • https://cdn.shopify.com/s/files/1/0428/7827/1641/files/15935213816.pdf
    • https://cdn.shopify.com/s/files/1/0435/0004/4440/files/36780538684.pdf
    • https://cdn.shopify.com/s/files/1/0434/4286/4289/files/pukosefuxipawokabadanowor.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/ruxejuvekega.pdf
    • https://cdn.shopify.com/s/files/1/0430/4856/6933/files/23767637339.pdf
    • https://cdn.shopify.com/s/files/1/0449/9714/8836/files/pearson_biology_11_textbook.pdf
    • https://cdn.shopify.com/s/files/1/0433/9934/8389/files/48313738411.pdf
    • https://cdn.shopify.com/s/files/1/0438/1274/9469/files/70286927344.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006176.bin
6bd35abec5b5c33e3c8a9513b1c56332250bf2892b4a51f5400a2b29d97f9c92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6176 5036 bytes
font_01_sfnt_off000072af.bin
c689e86174ca7d7a0c0088d92a7a786c7f290d4755ec7c590ae8c960e5f49f03		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72AF 10176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.