Malicious PDF — malware analysis report

Static analysis result for SHA-256 438dfbe5f329868a…

MALICIOUS

PDF

33.4 KB Created: 2020-08-31 07:28:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a2ac683c373074727c2baa84c5769a3 SHA-1: e205713f544b52bf5d700eed2de905ce95af3de1 SHA-256: 438dfbe5f329868a61048cefb8f8c8d9b490948d8d8f9f6c7a804fc866a35abc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links pointing to external PDF documents, a technique often used for SEO manipulation or to host malicious content. One of the embedded URLs, 'https://ttraff.ru/wix?keyword=honeywell+hz-709+oil-filled+radiator+heater', is flagged as a malicious redirector. The document body itself appears to be garbled but contains references to the product 'Honeywell hz-709 oil-filled radiator heater', suggesting a lure to attract clicks.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=honeywell+hz-709+oil-filled+radiator+heater
    • https://static.usrfiles.com/ugd/b8c837_729d691f03ea498285c983a66500103a.pdf
    • https://static.usrfiles.com/ugd/b8c837_172d476094d542c795c346bf5c941397.pdf
    • https://static.usrfiles.com/ugd/dc51bb_aa3cbd4708fd4402ae0c39d4892336ed.pdf
    • https://static.usrfiles.com/ugd/197ed4_c54a5abc973f41f3972639e666f88ad8.pdf
    • https://static.usrfiles.com/ugd/b8c837_047b736365034e24a6aa527cd62a058b.pdf
    • https://static.usrfiles.com/ugd/de65f7_b40bf689bf0f4cc5ac12ba9ef8398d9f.pdf
    • https://static.usrfiles.com/ugd/405339_2e7072f447e14e4d9bf8777e910809f7.pdf
    • https://static.usrfiles.com/ugd/cfbfd2_87d85c881b8b4bccbea617713f3f702f.pdf
    • https://static.usrfiles.com/ugd/b8c837_b141bc19f86a429baf8c81e42b40d6e9.pdf
    • https://static.usrfiles.com/ugd/b27199_e881f360564d489989c7b09f683180a0.pdf
    • https://static.usrfiles.com/ugd/b8c837_a890250f56a84113a07372589ff5293c.pdf
    • https://static.usrfiles.com/ugd/d1d005_3bed0b44da8f4e37b0d6e1dd3ea9c2a8.pdf
    • https://static.usrfiles.com/ugd/0df15e_b729d0a7d6d048e4abe66adea9a821d5.pdf
    • https://static.usrfiles.com/ugd/1ee69b_1b9e16e844d44d49a39a64f1e239210c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000046e0.bin
e8c4572b10bc1f3cba037afadc529e6d5d7f0f540e2f646a680fbb0d712aaeb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46E0 5432 bytes
font_01_sfnt_off00005973.bin
4f1db52c81f428e21a0e8f2dfe1c9c516e1f530c6a0444ceb2f68f7f68eb5e1b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5973 9140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.