Malicious PDF — malware analysis report

Static analysis result for SHA-256 56037271231ebeb5…

MALICIOUS

PDF

39.9 KB Created: 2020-09-02 01:52:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7fab9b335e14d58a0893acb533182658 SHA-1: 2bbd28955dee8bb3eab3c9e90a84e81bb503564f SHA-256: 56037271231ebeb5b22b316abcfcd564361b9ba6ba700660d308d790d1ab50e1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.ru'. Additionally, it exhibits a PDF link farm heuristic, embedding numerous links to external PDFs, many hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the same redirector URL. This suggests a social engineering attempt to drive traffic to malicious infrastructure, possibly for further exploitation or phishing.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=parse+error+fixer+android
    • https://static.usrfiles.com/ugd/eaf48f_c55aa8a7712245f993395539f49fa9b7.pdf
    • https://static.usrfiles.com/ugd/b444d4_1c4a222e5ab34f348a8dd527f67a537b.pdf
    • https://static.usrfiles.com/ugd/d9d1f5_8b2e83d712a44916aa8b67430fd0b0af.pdf
    • https://static.usrfiles.com/ugd/06497e_225a05cb6e3a4e87905c751b68b9510a.pdf
    • https://static.usrfiles.com/ugd/b88e3d_755e4380a5b742a38521b4d09a7cbb6f.pdf
    • https://cdn.shopify.com/s/files/1/0428/9147/7159/files/62399905169.pdf
    • https://cdn.shopify.com/s/files/1/0435/0024/1061/files/preparation_of_p_bromoaniline_from_aniline.pdf
    • https://cdn.shopify.com/s/files/1/0428/5032/0540/files/nibosejir.pdf
    • https://cdn.shopify.com/s/files/1/0429/4872/2851/files/shielded_twisted_pair_cable.pdf
    • https://cdn.shopify.com/s/files/1/0434/8438/1337/files/3862668434.pdf
    • https://static.usrfiles.com/ugd/b910ae_de8ad09884e6426f8600099068204919.pdf
    • https://static.usrfiles.com/ugd/c33cdb_2f966206934f45db8a1ffde574df8f73.pdf
    • https://static.usrfiles.com/ugd/ce14f3_b8e545bfd81d4881a28305c3442dc8b8.pdf
    • https://static.usrfiles.com/ugd/c3f59f_e7431a54e0f94bb09b492f1e0e654381.pdf
    • https://static.usrfiles.com/ugd/0c4177_8eee8315240a454bb9bd2cf14baa7161.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f9d.bin
3ed24aa14c135b0b5a34a6cfab4c512fd78c2b7540ae7272aa7ff3209204afbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F9D 4940 bytes
font_01_sfnt_off0000707a.bin
2d896bbafe63e59b63b262fd1ee3ca570f5a3c38bf5af6b3531b97cbdf072ee7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x707A 10036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.