Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff50dac42a9060fb…

MALICIOUS

PDF

45.7 KB Created: 2020-08-31 16:02:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52e62665516e597bf57a9f12e21685c2 SHA-1: fd7575abe99f373eb5fd6ca51dfde8e83a9890e9 SHA-256: ff50dac42a9060fbf74fedd0d8c1a66520b473b5df0692fa738dac828eaff0d3
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link and a link farm, indicating an attempt to drive traffic to malicious infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.ru/pify?keyword=gelatin+sheets+for+gingerbread+house+windows, which is flagged as malicious. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=gelatin+sheets+for+gingerbread+house+windows
    • https://cdn.shopify.com/s/files/1/0432/0762/2817/files/12545006849.pdf
    • https://cdn.shopify.com/s/files/1/0436/2852/7776/files/simojuzenerar.pdf
    • https://cdn.shopify.com/s/files/1/0434/0121/6163/files/skf_journal_bearing.pdf
    • https://cdn.shopify.com/s/files/1/0430/9119/8112/files/el_poder_del_autoestima.pdf
    • https://cdn.shopify.com/s/files/1/0433/2892/9945/files/32290714048.pdf
    • https://cdn.shopify.com/s/files/1/0437/5520/8858/files/wogufidinowawitug.pdf
    • https://static.usrfiles.com/ugd/b8c837_b8aad556fdf04239a4a20cfb2279dd52.pdf
    • https://static.usrfiles.com/ugd/b8c837_9204ea580f5f44c6bc5d9c83bcc08aba.pdf
    • https://static.usrfiles.com/ugd/b8c837_e1de1c023a5a4ace8c1d74a72eafdd2f.pdf
    • https://static.usrfiles.com/ugd/9ff9b8_86bd3b476ea14b3daf775816cd3492a8.pdf
    • https://static.usrfiles.com/ugd/7ea8bb_4ff5aaab7add43bbac32bcf44625ddc9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007335.bin
b0d24a4773fdc58d306818fb2494f1c3d9eb15e03d0471f2d6e3c7e8479c21c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7335 5432 bytes
font_01_sfnt_off000085b7.bin
c37d6bbf54b228a27b0a271ba14a6ae96acd6d7b6632dd94919879ce7a214c6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85B7 10608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.