Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe80d97bba148de7…

MALICIOUS

PDF

49.8 KB Created: 2020-07-29 16:56:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f8b31686f1a103484deca63a73868e9 SHA-1: d94a05e7770330d67a3ac9ef69582157d5dfe7e0 SHA-256: fe80d97bba148de77842d4f5d51845a5e2621acb0bca120ece6c7b65cdcfd8b1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, with one heuristic specifically identifying it as a 'PDF SEO Link Farm'. One of these links, 'https://ttraff.ru/pify?keyword=acls+review+made+incredibly+easy+pdf', is flagged as a malicious redirector. The document body is heavily obfuscated, but the presence of these links strongly suggests an attempt to lure users to malicious sites, likely for phishing or distributing further malware. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=acls+review+made+incredibly+easy+pdf
    • http://files.northwestmichiganlivestockcouncil.org/uploads/1/3/2/8/132814826/267641.pdf
    • http://files.rachelrainedesigns.com/uploads/1/3/1/4/131408432/fejareloza_tisiwubuwako_selojitarow.pdf
    • http://files.aniasorganics.com/uploads/1/3/1/0/131070539/430a8290c85.pdf
    • http://files.santacruzghosthunters.com/uploads/1/3/2/8/132814276/1216166.pdf
    • http://files.santacruzg
    • https://cdn.shopify.com/s/files/1/0431/9199/2484/files/99294239677.pdf
    • https://cdn.shopify.com/s/files/1/0428/6332/9446/files/39520648978.pdf
    • https://cdn.shopify.com/s/files/1/0433/5498/0505/files/nosudapakopolejigufolewo.pdf
    • https://cdn.shopify.com/s/files/1/0435/3484/4059/files/94596042239.pdf
    • https://cdn.shopify.com/s/files/1/0433/8450/4474/files/zufogorusazipobozanoniwu.pdf
    • https://cdn.shopify.com/s/files/1/0430/7252/0352/files/wafazum.pdf
    • https://cdn.shopify.com/s/files/1/0439/4627/9080/files/61689693599.pdf
    • https://cdn.shopify.com/s/files/1/0440/5651/0616/files/43233798208.pdf
    • https://cdn.shopify.com/s/files/1/0430/3942/4669/files/fimamowanufesekig.pdf
    • https://cdn.shopify.com/s/files/1/0430/2825/0781/files/wakasakamibenikujibo.pdf
    • https://cdn.shopify.com/s/files/1/0431/5892/9570/files/17307471591.pdf
    • https://cdn.shopify.com/s/files/1/0437/8296/3361/files/52638704598.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000081de.bin
5b75f26401f64dafa882714be93320b8a2c2a2f88a15ca9679498c451ff62cc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81DE 5280 bytes
font_01_sfnt_off000093b4.bin
0abdf4719480a6479f7363745b80c0f1500611b18a63951336d26ed8817a2103		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93B4 10884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.