Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc9f4dd314f93eaa…

MALICIOUS

PDF

50.0 KB Created: 2020-08-30 22:26:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8295678054c00e8a37805b05a987b08b SHA-1: ca08d6a5fba50c6ebe0f4bb0f2f6b7aeb1b0cc3c SHA-256: fc9f4dd314f93eaa5841672f7d2c9cdc16e117ffb61f2c87711d0acacabbcb4d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to SEO-optimized PDF files hosted on Shopify. One of these links, 'https://ttraff.ru/wix?keyword=french+cartomancy+card+meanings', is identified as a malicious redirector. This suggests a campaign to drive traffic to malicious infrastructure through a link farm.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=french+cartomancy+card+meanings
    • https://cdn.shopify.com/s/files/1/0449/9727/9908/files/business_analyst_behavioral_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0434/1124/3164/files/australia_super_fund_performance_2018.pdf
    • https://cdn.shopify.com/s/files/1/0428/9105/1161/files/93754742424.pdf
    • https://cdn.shopify.com/s/files/1/0434/5797/0329/files/39622791123.pdf
    • https://cdn.shopify.com/s/files/1/0430/5698/8317/files/77089338481.pdf
    • https://cdn.shopify.com/s/files/1/0438/5295/5810/files/successful_agro_tourism_innovative_ideas.pdf
    • https://cdn.shopify.com/s/files/1/0433/8938/6917/files/arihant_banking_awareness_book.pdf
    • https://cdn.shopify.com/s/files/1/0435/8835/4207/files/letter_from_birmingham_jail_color_coded.pdf
    • https://cdn.shopify.com/s/files/1/0434/0786/8060/files/sullair_chipping_hammer_parts_manual.pdf
    • https://cdn.shopify.com/s/files/1/0427/5693/1751/files/41654207209.pdf
    • https://cdn.shopify.com/s/files/1/0429/6340/2905/files/levels_of_government_worksheet_answers.pdf
    • https://cdn.shopify.com/s/files/1/0427/4647/8759/files/pigafewivufuxulaketusam.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pigirerunozekolufis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007038.bin
5b8f3eb81c8e63fff5d4c5a665763a5000d8a14787b9200a132a85e686dcdc01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7038 5376 bytes
font_01_sfnt_off00008253.bin
19ac72f3a388fa32d0855f4cded682a9cf53844ba2eb04ae19ce4fd77289c56a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8253 10344 bytes
font_02_sfnt_off0000a5d2.bin
f469c5aa689aa4c1965481b78cfaebbf1c3ebdad2306c7067134b7b4aaa0addd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5D2 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.