Malicious PDF — malware analysis report

Static analysis result for SHA-256 4aa51bac8b8b3365…

MALICIOUS

PDF

84.5 KB Created: 2020-09-15 13:47:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6002b5d0f7ddb2945a156754db13654e SHA-1: 9ab4389d02026d93cb58aa42104ee5935cb2f3f7 SHA-256: 4aa51bac8b8b3365b3c47ded2735c0c8fbc45ec9b1f3b6348b4d3703a0151a2f
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, pointing to a URL that is part of a known malicious redirector infrastructure. Additionally, the PDF_SEO_LINK_FARM heuristic indicates a large number of external links, and the SE_PAYMENT_REDIRECT_LURE heuristic suggests a business-email-compromise pattern involving fake payment instructions. The embedded URL https://ttraff.ru/wb?keyword=henrico%20public%20schools%20reopening is the primary IOC, likely leading to a malicious payload or phishing page.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=henrico%20public%20schools%20reopening
    • https://static.usrfiles.com/ugd/2274a7_8e454dffd31a48088cc08eff3482881c.pdf
    • https://static.usrfiles.com/ugd/7836c9_4c0a7d0ba76e4bc89f406f117f21239d.pdf
    • https://static.usrfiles.com/ugd/b8c837_d48170fc2f3d4ee7b1f0ec795bda5ad2.pdf
    • https://static.usrfiles.com/ugd/d8e941_5ec8875375b14186aa41cf1c726095b2.pdf
    • https://static.usrfiles.com/ugd/9421c8_53fb097f2d4541e08efc75b90d41b0f5.pdf
    • https://static.usrfiles.com/ugd/b6edda_538796f287d94f6693b5e61d267d7df5.pdf
    • https://cdn.shopify.com/s/files/1/0435/3776/0408/files/lanuw.pdf
    • https://cdn.shopify.com/s/files/1/0434/6901/3158/files/42218645175.pdf
    • https://cdn.shopify.com/s/files/1/0483/6209/4745/files/livevipugupunuxa.pdf
    • https://cdn.shopify.com/s/files/1/0430/8749/5321/files/vagipe.pdf
    • https://cdn.shopify.com/s/files/1/0447/6190/7351/files/angular_js_and_node_js_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0427/9785/8972/files/thomas_calculus_including_second_order_differential_equations.pdf
    • https://cdn.shopify.com/s/files/1/0428/8859/3571/files/12155468678.pdf
    • https://cdn.shopify.com/s/files/1/0437/3040/3477/files/seasons_and_ecliptic_simulator_worksheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea33.bin
6ab4462f307b25385fdfc0ce53e8bef15c03202595eba4616464486590765f94		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA33 5088 bytes
font_01_sfnt_off0000fb78.bin
df2a89b420da489035cb19fc03752ecfdaf947ece993ef5c771e7af3857b9161		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB78 10960 bytes
font_02_sfnt_off000120fc.bin
d493fe8b298c1e6348853f374d2f2b8435082176d3db0d86b0eca9e4eae8f4c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120FC 16840 bytes
font_03_sfnt_off00013911.bin
df4fc428fae34a1924c25135f9deb5fe50dbd295018d5be0898efbf4ad11dd35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13911 2740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.