Malicious PDF — malware analysis report

Static analysis result for SHA-256 26900ed8d82be818…

MALICIOUS

PDF

50.5 KB Created: 2020-08-30 01:53:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ccec22c010e2b1786603cdbb9efc37a SHA-1: 207f05145d4061281f6d55b9a2565fa391e845fa SHA-256: 26900ed8d82be818508080cd8dcb4b76de8f4a0a28af48d6352697d57d4f8e57
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of the primary links, however, redirects to ttraff.ru, which is flagged as a malicious redirector. This suggests the document is designed to lure users into clicking malicious links, likely as part of a phishing or malware distribution campaign.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=interglacial+and+glacial+periods
    • https://static.usrfiles.com/ugd/565485_b77762532dff4915ba20d85c03ee21aa.pdf
    • https://static.usrfiles.com/ugd/d54300_0f9d2774ce384a59bbe9caba604f92f7.pdf
    • https://static.usrfiles.com/ugd/c20ea7_aa4a0f046f6c4d63b302267398f64c7c.pdf
    • https://static.usrfiles.com/ugd/b5aed9_4ff62dbf1b9f4db1b15c5c60712a48a7.pdf
    • https://static.usrfiles.com/ugd/b8c837_fc9fbe74a5f4431db8ba452051342171.pdf
    • https://static.usrfiles.com/ugd/b8c837_107ea472e23142c1ade4d378904ae83b.pdf
    • https://static.usrfiles.com/ugd/b8c837_8d82f48c52684b2cb2f4299c37467ed4.pdf
    • https://static.usrfiles.com/ugd/b7ed05_c407f9117ab0413097cf9c01746743b8.pdf
    • https://static.usrfiles.com/ugd/5fd5c1_b81c1470695e406084a513421b601f25.pdf
    • https://static.usrfiles.com/ugd/b8c837_809096bc45d647aabe6144a7a1001dca.pdf
    • https://static.usrfiles.com/ugd/b8c837_1a9a94e16e1245bf9f198ea971a5db30.pdf
    • https://static.usrfiles.com/ugd/ce14f3_029c7009721b4835b2729e908df72737.pdf
    • https://static.usrfiles.com/ugd/de60da_bda237cb7af647158c7d99fdbd2236af.pdf
    • https://static.usrfiles.com/ugd/c7a620_9a11472077ba49e7b2851e6cc5cb08b7.pdf
    • https://static.usrfiles.com/ugd/834936_2d1331ffe06e4ba4b7aceb1f85a53941.pdf
    • https://static.usrfiles.com/ugd/166c09_e8462b085eb84e7e8c011c6f8dc4721f.pdf
    • https://static.usrfiles.com/ugd/b8c837_e83e3481299b4288ad3cabdcf6e33d37.pdf
    • https://static.usrfiles.com/ugd/f103bb_397150778d0742df80279693d47f1322.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000085b6.bin
284980c628e7412eb1857987a9e8ce927fea8342130fc1bbf69cc50d947be0da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85B6 5180 bytes
font_01_sfnt_off0000974e.bin
a6a999fa631210e4fd27d0229784a207b39acdfb2eb9c505d850058099a998ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x974E 11216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.