Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb9e25a0d478129f…

MALICIOUS

PDF

39.2 KB Created: 2020-08-22 18:50:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 585a4329e41e90368b3d5a818e16b890 SHA-1: 0a05620749faae312544309a0dd0cf5cf16809bc SHA-256: fb9e25a0d478129f3611f7a41772a41425541699391450a83c4574e7cc01b1f9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external resources. One critical heuristic identified a link to a known malicious redirector at `https://ttraff.ru/pify?keyword=cambridgeshire+school+admission+form`. The document body, though partially corrupted, also contains this URL and numerous other links hosted on `cdn.shopify.com` and various other domains, suggesting a link farm or redirection strategy. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=cambridgeshire+school+admission+form
    • http://files.halseyband.com/uploads/1/3/0/8/130813876/jerigegipurak.pdf
    • http://files.victoriapowersstudioten.com/uploads/1/3/1/6/131636819/d7924c.pdf
    • http://files.asim-lab.com/uploads/1/3/0/8/130813111/dujasomibepedos_modetobowawokuz_mozej.pdf
    • http://files.soapboxstudios.com.au/uploads/1/3/0/9/130969089/9c40888174.pdf
    • http://files.guideturisticheancona.com/uploads/1/3/1/4/131407080/dinagukeb.pdf
    • https://cdn.shopify.com/s/files/1/0433/9168/0673/files/solidworks_routing_parts.pdf
    • https://cdn.shopify.com/s/files/1/0436/7984/2457/files/teburaropiga.pdf
    • https://cdn.shopify.com/s/files/1/0428/4933/7507/files/26862331677.pdf
    • https://cdn.shopify.com/s/files/1/0434/9011/5748/files/52214580136.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/27150836515.pdf
    • https://cdn.shopify.com/s/files/1/0431/4556/0219/files/76036051649.pdf
    • https://cdn.shopify.com/s/files/1/0439/1819/6891/files/74748979756.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/19085525902.pdf
    • https://cdn.shopify.com/s/files/1/0431/2891/4074/files/calineczka_ba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b80.bin
83347d83dbb3d91c5028d05d087913e532008d79ace22389fb2fd4efda2dad3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B80 5480 bytes
font_01_sfnt_off00006e02.bin
0f19e6f648cfa632b64b1ebab4c65976c83c170385a514a4c3a58dc4c1ed1b73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E02 10036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.