Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d7bff7cc185db52…

MALICIOUS

PDF

41.0 KB Created: 2020-08-30 02:29:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 92680ef8728025ce13dfdde96ea62dc2 SHA-1: e0eb2e4b872dfb3113e38dcc303ab54a60d642ff SHA-256: 4d7bff7cc185db520b9f20dfe302eca941b90b4aa58a8a7faaa42c484f5e1df1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=once+upon+a+time+in+venice+torrent'. This indicates the document's primary purpose is to redirect the user to a malicious site, likely for further exploitation or phishing. The document body contains the same URL, reinforcing this finding. The presence of numerous other PDF links, while some are benign, suggests a link farm strategy to obscure the malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=once+upon+a+time+in+venice+torrent
    • https://cdn.shopify.com/s/files/1/0435/3264/8602/files/sally_salons_games.pdf
    • https://cdn.shopify.com/s/files/1/0429/6241/9863/files/simile_worksheets_grade_3.pdf
    • https://cdn.shopify.com/s/files/1/0436/4946/6526/files/im_a_classic_man_lyrics.pdf
    • https://cdn.shopify.com/s/files/1/0438/0046/1474/files/thinking_out_loud_mp4.pdf
    • https://cdn.shopify.com/s/files/1/0428/4655/2230/files/78413211576.pdf
    • https://static.usrfiles.com/ugd/51c472_6408c563fedd4dbba50eac0bb6a6a2de.pdf
    • https://static.usrfiles.com/ugd/39cb9d_d2bf6c8b852d4185849f207224336b18.pdf
    • https://static.usrfiles.com/ugd/b8c837_bb414885479d47a6a728a34559383fb7.pdf
    • https://static.usrfiles.com/ugd/b5aed9_53e8ee05942147b5a82402392f2bd1ba.pdf
    • https://static.usrfiles.com/ugd/b8c837_16f9b168beec40f4aba744411290e806.pdf
    • https://static.usrfiles.com/ugd/e8506d_8328a93dd4154d2b959a8fdd35f33150.pdf
    • https://static.usrfiles.com/ugd/e745be_375c78cd0b374dde8072a1cfaf1453f3.pdf
    • https://static.usrfiles.com/ugd/73c254_9a511b21df6643f2953eb94292add05d.pdf
    • https://static.usrfiles.com/ugd/a467d2_a8b7ef248e9a405dbaa07231ea4e6f1e.pdf
    • https://static.usrfiles.com/ugd/67e251_6dda85b7d9af4f35b8144fc98770183f.pdf
    • https://static.usrfiles.com/ugd/b8c837_e0ec9d01b5224ac2b0db595c21313d7c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006026.bin
cf36b19b3a33509dda4a0827c4f2963e84e52007d2b6b14b225b25e116b22d09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6026 4956 bytes
font_01_sfnt_off000070f1.bin
8c14e314e55eac0a2146add80d27217efd04b3824bd3141068f24eb81e72bb25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70F1 11504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.