Malicious PDF — malware analysis report

Static analysis result for SHA-256 34d7b32363fedbba…

MALICIOUS

PDF

100.3 KB Created: 2020-08-31 19:27:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f76ffe662551103334dd0efc237fbb9 SHA-1: 4ff0e0ec9b6b7905a0da84fa454d1a8f2bd9fabf SHA-256: 34d7b32363fedbba3d675b3b011df5ae5460f098fd0baf510ebc8d070ea514f4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic identifying a link to a known malicious redirector at 'https://ttraff.ru/pify?keyword=ceclor+250+bula+pdf'. The document body, though heavily obfuscated, also contains this URL and references to other PDFs hosted on 'static.usrfiles.com'. This suggests a phishing or social engineering attack aiming to redirect users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ceclor+250+bula+pdf
    • https://static.usrfiles.com/ugd/a2e20a_94d3793ab25145609dc1adf44a9a862c.pdf
    • https://static.usrfiles.com/ugd/b8c837_0725ec1cacfc4d5fa647dcaf7a2bfee7.pdf
    • https://static.usrfiles.com/ugd/5ad03d_3b88b44662a64ccfb10c3b2ab3e9eef4.pdf
    • https://static.usrfiles.com/ugd/24853a_62230dba90254f7e88e5af59361fb5ce.pdf
    • https://static.usrfiles.com/ugd/7198c1_ccfa3dda9d164ed39332abd82072107f.pdf
    • https://static.usrfiles.com/ugd/227d0f_737da68a3d444dc28c7c7624dffeb3d9.pdf
    • https://cdn.shopify.com/s/files/1/0434/7628/7648/files/49965391974.pdf
    • https://cdn.shopify.com/s/files/1/0428/8184/3353/files/62977545959.pdf
    • https://cdn.shopify.com/s/files/1/0430/1576/6177/files/vinikozevatujizavovod.pdf
    • https://static.usrfiles.com/ugd/3f0e57_d294af0f04074cd9b455b7be8de7f035.pdf
    • https://static.usrfiles.com/ugd/b444d4_97ce4a71eec34a6aa94ccda452486d43.pdf
    • https://static.usrfiles.com/ugd/b8c837_4e20110fd41f4636b6ca4aa6395a8683.pdf
    • https://static.usrfiles.com/ugd/a59130_cdcfad15af5d4203ad4306b79d083f59.pdf
    • https://static.usrfiles.com/ugd/de60da_b216b61ddead4d46a32b8b7c51c0e562.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012f43.bin
991586cf428c42082748467c1e8f995e41929fc6d74ac6b36d5d79c30a98ae21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F43 5180 bytes
font_01_sfnt_off000140ea.bin
9899dea18341c7380ac73cb1cd40ff18f8b6e23e1aa8bbadd3fa2b8e41ee3c53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140EA 17796 bytes
font_02_sfnt_off00017663.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17663 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.