Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a6402feb2bb4bb2…

MALICIOUS

PDF

40.2 KB Created: 2020-08-31 09:23:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78e190d68cb5ed7d9fe2e5e0ed779d8e SHA-1: f749e3b0af14487fe912fd62ebfab8d1be63a3c1 SHA-256: 1a6402feb2bb4bb21e9191300a4429b7b83140a90416de0354399cb28e08105e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, with one pointing to a known malicious redirector at 'ttraff.ru'. This redirector is likely used to obscure the final malicious destination. The document body, though heavily obfuscated, contains the URL that triggered the malicious redirector heuristic, suggesting a lure related to 'cours medecine generale pdf'. The presence of multiple links to 'static.usrfiles.com' suggests a link farm or a method to host multiple lures.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=cours+medecine+generale+pdf
    • https://static.usrfiles.com/ugd/b8c837_db5ce2301eab471998b6d72e6d83ad04.pdf
    • https://static.usrfiles.com/ugd/87d215_949c730a02e94d1cad5970e4d61ceb7e.pdf
    • https://static.usrfiles.com/ugd/ea5d7b_914211f6569e49678d9c338caff78f16.pdf
    • https://static.usrfiles.com/ugd/99a8f2_1ca263b0c92d42febdf773a2f5030fae.pdf
    • https://static.usrfiles.com/ugd/71fd01_3bb745de165e4a509d6c6eda18e091df.pdf
    • https://static.usrfiles.com/ugd/b8c837_50dd207bfee7435e9a2ca0d5fbc1986b.pdf
    • https://static.usrfiles.com/ugd/23b571_09837046477b42b78693ed32010cb5d3.pdf
    • https://static.usrfiles.com/ugd/52b593_bef4d9960b994617afae1a86c38680b8.pdf
    • https://static.usrfiles.com/ugd/f8de3e_6f71693b999147d6b5c2ef4f2f84dca9.pdf
    • https://static.usrfiles.com/ugd/1decf9_b354e1cce3cc464aad046fcfeeec5cff.pdf
    • https://static.usrfiles.com/ugd/a640e9_cfacdd8f0a6144b7bd9f1ea3ba1db888.pdf
    • https://static.usrfiles.com/ugd/0cd3a8_d0a0920554bc4e50bad55d663a6e0bf0.pdf
    • https://cdn.shopify.com/s/files/1/0427/5427/7532/files/77928086414.pdf
    • https://cdn.shopify.com/s/files/1/0429/9338/5633/files/87482019767.pdf
    • https://cdn.shopify.com/s/files/1/0428/8095/8617/files/15545390338.pdf
    • https://cdn.shopify.com/s/files/1/0438/1710/7618/files/kirefolejufelo.pdf
    • https://cdn.shopify.com/s/files/1/0429/7303/6697/files/73738089712.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005eed.bin
8a9c9c93176e58b5b9006653549f5c0500b931caf7c5013bf0e85f4f77db7f92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EED 5380 bytes
font_01_sfnt_off0000711c.bin
96b1764fc9cef35b6461492e1e1d2e898a129c399b4f6bb5ce556e336ebb8cb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x711C 10188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.