Malicious PDF — malware analysis report

Static analysis result for SHA-256 56a032177524c569…

MALICIOUS

PDF

41.4 KB Created: 2020-08-30 04:59:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3cbb9477bdfa06192f7fdcd9c3fc1aba SHA-1: 3f5b07ff90c833ee142834819fdca58a0f38a063 SHA-256: 56a032177524c56917e6cb976f7082b80c260634bc4342b6c82635b6805bfed0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with a critical heuristic firing indicating a link farm. One of the primary links, 'https://ttraff.ru/wix?keyword=wot+artillery+mod', is flagged as a known malicious redirector. While many other links point to benign content, the presence of the malicious redirector and the sheer volume of links suggest a malicious intent, likely for SEO abuse or to funnel users to harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=wot+artillery+mod
    • https://static.usrfiles.com/ugd/0dcf4b_0f541b4e29624d72895af978c1f9a4f1.pdf
    • https://static.usrfiles.com/ugd/b8c837_c18c34ad10884e728dd5f90b0d3ff43b.pdf
    • https://static.usrfiles.com/ugd/12745a_fb7c94e169994e79bb599a14d9b56aed.pdf
    • https://static.usrfiles.com/ugd/b8c837_94e8b0ba37c44466b0398183786a2003.pdf
    • https://static.usrfiles.com/ugd/5b604d_0db87561de00468a9890122fd03331c5.pdf
    • https://cdn.shopify.com/s/files/1/0430/8421/8532/files/437458727.pdf
    • https://cdn.shopify.com/s/files/1/0437/2430/8630/files/dazimepamefokirit.pdf
    • https://static.usrfiles.com/ugd/f4de5e_4c45101594304bf4a13a2cdd4a68af0c.pdf
    • https://static.usrfiles.com/ugd/b8c837_6ecf2aca89be4298a7365091a81b1acc.pdf
    • https://static.usrfiles.com/ugd/2e16aa_017887fa5ab348c9ab351cc1641c62ea.pdf
    • https://static.usrfiles.com/ugd/3be3a7_1dc01ff1dfb54f8c8d118c9ffb70192d.pdf
    • https://static.usrfiles.com/ugd/32acb1_ced682face324d3b8fad2c2f73c92dc3.pdf
    • https://static.usrfiles.com/ugd/b8c837_fb4c279411424fc8b36940eb16d3c4d5.pdf
    • https://static.usrfiles.com/ugd/e3ff21_7419a40eead74a67b943abc6ae842556.pdf
    • https://static.usrfiles.com/ugd/ea78e0_857db3b11f904397bfc6548472986305.pdf
    • https://static.usrfiles.com/ugd/b8c837_404adcd3ec914b3bad63c6b2875a2582.pdf
    • https://static.usrfiles.com/ugd/bf0735_f9f4c0f732354103ac1208de3994c2d3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057ba.bin
d7549da3b761dd6863e54fa5673a955f42bd5149f19d5243fa21e899e5cdd7e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57BA 4588 bytes
font_01_sfnt_off0000675e.bin
70d72313d3c1be12d2652d13ed2f9c85d0ef84d7345eaba31e69a54c0af3d7cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x675E 10448 bytes
font_02_sfnt_off00008a95.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A95 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.