Malicious PDF — malware analysis report

Static analysis result for SHA-256 28280a02892fc240…

MALICIOUS

PDF

43.3 KB Created: 2020-08-31 02:24:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43e222a7173c7acefb44329698ba4f87 SHA-1: 7f10e56be9837ba880b1db1e7c3ed1483e68a712 SHA-256: 28280a02892fc240f528601aa703b0a2d1fe782322058f12163a5a4b2824d549
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one pointing to a known malicious redirector. The document body, though heavily obfuscated, contains text fragments and URLs consistent with an advance-fee scam lure. The primary malicious URL identified is ttraff.ru, which is used to redirect the user to other potentially malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=trails+in+the+sky+2
    • https://static.usrfiles.com/ugd/b8c837_cf663ef75b884e2ba445f1a2d681b5c6.pdf
    • https://static.usrfiles.com/ugd/79cb75_4ba795008f334801bdb9ecf7ec5ded8f.pdf
    • https://static.usrfiles.com/ugd/b8c837_5f97f74f65444b729899644ee10f5fe8.pdf
    • https://static.usrfiles.com/ugd/e02969_eec7148ea08a4b9c9b8bacf14b901be4.pdf
    • https://static.usrfiles.com/ugd/3ab5ed_7153da531e254bf1829d473e36c0ad9c.pdf
    • https://cdn.shopify.com/s/files/1/0433/6300/8664/files/adobe_convert_scanned_to_text.pdf
    • https://static.usrfiles.com/ugd/97aff7_bb05188929194e929197f2c05f07c651.pdf
    • https://static.usrfiles.com/ugd/fdee49_a83b2df39f284025abd9e11d57734f02.pdf
    • https://static.usrfiles.com/ugd/906e9f_0c3678ae1fba45e1b8fa5a7501d7afdd.pdf
    • https://static.usrfiles.com/ugd/accd1f_7d5516feb0bc46a1b31be142fc5a09d4.pdf
    • https://static.usrfiles.com/ugd/067ecb_4afbfea2c94f44b9a398c3929f96b4be.pdf
    • https://static.usrfiles.com/ugd/15cd4d_c9fd9773dc2843a8a01237c1b499f8a3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c48.bin
cd8e90f8f80d1594b74eea86e743dc965086e500000aa4bb6df0db2c91a26907		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C48 5020 bytes
font_01_sfnt_off00007d5a.bin
359b9977b04f474534cd0f9a85fccba970a968cbb410df43601395d02701420d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D5A 10456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.