Malicious PDF — malware analysis report

Static analysis result for SHA-256 36dc4de44a3adafa…

MALICIOUS

PDF

49.1 KB Created: 2020-09-02 00:05:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72b6a3192b664c4f3237156b498c2728 SHA-1: bae2e93010254145374550c306ad879c8f0943c7 SHA-256: 36dc4de44a3adafa87125776bb78332b71dd430032bc1900176aab6937b75597
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/pify?keyword=poweredge+t30+mini+tower+server+datasheet'. This URL is embedded within the document body, disguised as a server datasheet. The file also exhibits characteristics of a PDF link farm, with numerous external links, many of which point to 'static.usrfiles.com'. The primary malicious URL is the most significant IOC.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=poweredge+t30+mini+tower+server+datasheet
    • https://static.usrfiles.com/ugd/b7082a_1c9fe74680924a99817bad3e4b770bb4.pdf
    • https://static.usrfiles.com/ugd/0f5b72_5010526021c14a84b1a32ac5e34ccc9e.pdf
    • https://static.usrfiles.com/ugd/08e331_2ca6ead4e26140bfb8ac13ab91d85c4c.pdf
    • https://static.usrfiles.com/ugd/345929_8e1e46859964495f9ad95f54c98c4151.pdf
    • https://static.usrfiles.com/ugd/81ef4b_7492ea8ba9664579b85a8155c63959b1.pdf
    • https://static.usrfiles.com/ugd/9904c2_2868ed641d7248e6afaa4f52e7c57dd7.pdf
    • https://static.usrfiles.com/ugd/d1c05f_895c479a2ee4424886083a8f1f1a55a3.pdf
    • https://static.usrfiles.com/ugd/b8c837_faf09e797d1f4b0fb87d35e76c5b673f.pdf
    • https://cdn.shopify.com/s/files/1/0463/3110/1345/files/poe_labyrinth_guide.pdf
    • https://cdn.shopify.com/s/files/1/0436/2479/2224/files/oak_bandit_poe.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/88065476392.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gamusuzojikifikukudubug.pdf
    • https://cdn.shopify.com/s/files/1/0437/7768/7701/files/antipasto_pro_regular_font_free.pdf
    • https://cdn.shopify.com/s/files/1/0435/9634/9602/files/widavapojikux.pdf
    • https://cdn.shopify.com/s/files/1/0436/1011/2163/files/gukejub.pdf
    • https://cdn.shopify.com/s/files/1/0433/4164/3928/files/lisoliguwiga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000080d4.bin
41f725d194a0a36656f7fd20d0861720ffb36ba378b6a80edd54798289d30bab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80D4 5664 bytes
font_01_sfnt_off00009405.bin
bd95c6867d3bb684d6f7d6386f779d390dea9350026eac7dc24005eeac7b0957		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9405 10472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.