Malicious PDF — malware analysis report

Static analysis result for SHA-256 3aad83caaaf28ce2…

MALICIOUS

PDF

38.4 KB Created: 2020-08-31 18:43:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6201568f413451b969557843724b5485 SHA-1: 0671cfd02bb15f8ddff6466a609022de7e2f0e07 SHA-256: 3aad83caaaf28ce25a75a8f9e35c6fa9b1e6b68f0fc3fe01ac50b408e7050a10
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one identified as a malicious redirector. The primary malicious URL is https://ttraff.ru/pify?keyword=miley+cyrus+butterfly+fly+away++free, which is likely used to lure users to a phishing or malware-hosting site. The document body, though heavily obfuscated, contains references to this URL and other benign-looking PDF links, suggesting a link farm or redirection tactic. No scripts were extracted, and the file type is PDF, indicating a social engineering attack vector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=miley+cyrus+butterfly+fly+away++free
    • https://static.usrfiles.com/ugd/bd5c68_32c5f4f4193a4eeeafd77bd4e40b4102.pdf
    • https://static.usrfiles.com/ugd/b8c837_57ede5627bd64971b4976289694babe6.pdf
    • https://static.usrfiles.com/ugd/0d2908_215727e8880c4ea7a5a78ccdeb3e26f7.pdf
    • https://static.usrfiles.com/ugd/ab0441_07d643513b72453aa604ac9e6e614cc7.pdf
    • https://static.usrfiles.com/ugd/9dda13_3a16b9e15a8647479d61b41f7690c44a.pdf
    • https://static.usrfiles.com/ugd/0ebc1f_69f57d6e7922415e829fb2d9cbd58734.pdf
    • https://static.usrfiles.com/ugd/db1da1_a3e4abe61d6b4c218a5b12f030641344.pdf
    • https://static.usrfiles.com/ugd/b8c837_44b0347737ab4394b3e02defa38c2303.pdf
    • https://cdn.shopify.com/s/files/1/0430/7746/8327/files/rofapa.pdf
    • https://cdn.shopify.com/s/files/1/0436/8501/9801/files/57944926102.pdf
    • https://cdn.shopify.com/s/files/1/0432/2911/8627/files/4247490284.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xuwuvedalolavotidexetugom.pdf
    • https://static.usrfiles.com/ugd/3ab5ed_090ec644de894b96a054ad73e0064eaf.pdf
    • https://static.usrfiles.com/ugd/b8c837_0f94da350e97404c8c22214bdae5e1c3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c7a.bin
22d383ee582a59c964103b613c8e2ff25abd9f694a5215888e9d70d7d6ea1bb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C7A 4880 bytes
font_01_sfnt_off00005d3f.bin
3d5e0b17a0219a2f706957c416f529725a7ea508f324843ee099a6ac3fc69a1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D3F 9796 bytes
font_02_sfnt_off00007edd.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EDD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.