Malicious PDF — malware analysis report

Static analysis result for SHA-256 19e2fdc6ddd28008…

MALICIOUS

PDF

43.5 KB Created: 2020-09-02 16:29:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 835eece53af183b54801c3dc175fd6b5 SHA-1: 1e5a9fc413e046f60198b670e8cac491a2505ca0 SHA-256: 19e2fdc6ddd28008d85e0ac1dc3e1cec3f9995d4b5ec12b8d0f817d1526b59e9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique commonly used in SEO link farms to manipulate search engine rankings or distribute malicious content. One of the primary links, 'https://ttraff.ru/wix?keyword=cambridge+advanced+sample+test+pdf', is flagged as a known malicious redirector. The document body, though heavily obfuscated, contains references to this URL and other benign-looking PDFs hosted on 'static.usrfiles.com', suggesting a coordinated effort to lure victims through a chain of redirects.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=cambridge+advanced+sample+test+pdf
    • https://static.usrfiles.com/ugd/760101_5f76196b800d46ecbbaab0ea92630108.pdf
    • https://static.usrfiles.com/ugd/bca722_589c0ae787ba4af697aa23a507ac5768.pdf
    • https://static.usrfiles.com/ugd/bdeb4c_3d0bd60e6d91404bba2e8bb7bd56f447.pdf
    • https://static.usrfiles.com/ugd/b8c837_c7e4fed6a1414531bd4851100916ddb1.pdf
    • https://static.usrfiles.com/ugd/111c46_847937f99f5e43fa8c0e98cd1ffe86f6.pdf
    • https://static.usrfiles.com/ugd/97aff7_9f98b506f11b4d9080f11ab0c2ffd476.pdf
    • https://static.usrfiles.com/ugd/b8c837_f813b776b3b2450196a554948a86c5eb.pdf
    • https://static.usrfiles.com/ugd/11276f_6e5e2b75e9fe475d88280bf067728c2b.pdf
    • https://static.usrfiles.com/ugd/b8c837_4b3f0b65bf3644adac43ea71689f2f6b.pdf
    • https://static.usrfiles.com/ugd/8a05ec_a857945ec397447b96bf26299ccefe61.pdf
    • https://static.usrfiles.com/ugd/d1d005_c675c570b32649aa88bf64bd81c3b38d.pdf
    • https://static.usrfiles.com/ugd/b8c837_e824070f6e1745b1bfb4cc3cb22c099a.pdf
    • https://static.usrfiles.com/ugd/8a419d_273064341c70490bb7fad6eef654d2db.pdf
    • https://static.usrfiles.com/ugd/b8c837_e1e15348104e4cf1a43f89dd17fac07f.pdf
    • https://static.usrfiles.com/ugd/6f58fb_4202bd0ef546462c934f8ac2e91cf537.pdf
    • https://static.usrfiles.com/ugd/4d935e_83cda5c2549b40cf99dd0c9b0c047572.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a8c.bin
35987c9709ed408fe5ce3d4ef6f62e311c586de29048a2c626361e45252f4d0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A8C 5580 bytes
font_01_sfnt_off00007d6e.bin
43c0714bf758e16c4ee637540ea4c5bce3e6b3d561601489707ffdba52527ac6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D6E 10444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.