Malicious PDF — malware analysis report

Static analysis result for SHA-256 454495d824527f8d…

MALICIOUS

PDF

44.6 KB Created: 2020-08-29 10:31:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b7acff68a79d4186bd0cb28a16af5f4 SHA-1: 14d5f415e28c6886dbc609b09f796b2161994576 SHA-256: 454495d824527f8d282e3c5dc88a84c1c588b9905ae704d358e98e2209ec4d14
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file exhibits malicious behavior through its extensive use of embedded links. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that at least one URL points to known malicious redirector infrastructure, specifically 'https://ttraff.ru/wix?keyword=six+sigma+yellow+belt+training+mater'. Additionally, the PDF_SEO_LINK_FARM heuristic fired, noting a large number of external PDF links, suggesting a link farm or SEO poisoning tactic. The document body contains garbled text but also includes the same malicious URL and several benign-looking PDF links, reinforcing the idea of a link distribution scheme.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=six+sigma+yellow+belt+training+mater
    • https://static.usrfiles.com/ugd/b8c837_23bc1e9f24024887a160d64430be2cb8.pdf
    • https://static.usrfiles.com/ugd/b8c837_90609528b9314325ba73b3be778ca2a2.pdf
    • https://static.usrfiles.com/ugd/b8c837_651e5f6040ec418d9a75004962bd327c.pdf
    • https://static.usrfiles.com/ugd/b8c837_3e23a41186604fdda221f1467e8a191e.pdf
    • https://cdn.shopify.com/s/files/1/0453/6372/4443/files/aphthous_ulcers_patient_handout.pdf
    • https://cdn.shopify.com/s/files/1/0428/6945/7063/files/xilit.pdf
    • https://cdn.shopify.com/s/files/1/0429/7133/2767/files/nimerupaxowajiji.pdf
    • https://cdn.shopify.com/s/files/1/0431/8081/8581/files/64459518444.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f34ff608644465497c549119ec35bbc.pdf
    • https://static.usrfiles.com/ugd/b8c837_c9fe2f5800e94b7dbf78fdecd968d284.pdf
    • https://cdn.shopify.com/s/files/1/0432/8249/7701/files/melesimokixepageziruduz.pdf
    • https://cdn.shopify.com/s/files/1/0440/6594/7798/files/pikorewudalevepibaxulu.pdf
    • https://cdn.shopify.com/s/files/1/0432/1555/2674/files/zegadesetuteji.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0431/8081/8581/files/6445951844

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d16.bin
9869018e69a2a635d63c30b0dcc26b9f3cc7d4d5a79b4bbcac32583aca0974e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D16 5512 bytes
font_01_sfnt_off00007fd0.bin
215160daff23147af2b3551379ed98cda8848562cda316e6dcd315b883c88de9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FD0 10932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.