Malicious PDF — malware analysis report

Static analysis result for SHA-256 56c0fbb040f09834…

MALICIOUS

PDF

37.1 KB Created: 2020-08-31 01:57:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 662af6d289d19aab8c2f7d59c81f0bfa SHA-1: a1f0aa955996a7b305a33c2d73d9d05a3419de64 SHA-256: 56c0fbb040f09834ec40648ce294760a6b7b89d2b277617c55616a96f605b2ae
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=go+tcha+manual'. The document body, though heavily obfuscated, also contains this URL and numerous other links to static.usrfiles.com, suggesting a link farm or redirection strategy. The primary intent appears to be directing the user to the malicious ttraff.ru domain.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=go+tcha+manual
    • https://static.usrfiles.com/ugd/b8c837_463de93d2f4c4289be6300a96b299f5c.pdf
    • https://static.usrfiles.com/ugd/d99ef3_662662a264d64437b058a585c5f47b7f.pdf
    • https://static.usrfiles.com/ugd/b58d21_8a062056322f4268b091e543fa2bb678.pdf
    • https://static.usrfiles.com/ugd/4d6844_07410951a8f84816a0070be71fbff849.pdf
    • https://static.usrfiles.com/ugd/b58d21_4d5e1ffe84974d0bad30b70e5c3e354c.pdf
    • https://static.usrfiles.com/ugd/dad90e_d89a0704b4784a65880485c954ce297b.pdf
    • https://static.usrfiles.com/ugd/5360f8_384e6fb3bdc346fc95053ca4829caeb4.pdf
    • https://static.usrfiles.com/ugd/837d34_099cf020fec44625a8b71b5cd315b643.pdf
    • https://static.usrfiles.com/ugd/764aaa_d01855b0bf8d4e70b0e2a064c5cd3f71.pdf
    • https://static.usrfiles.com/ugd/2ca09c_e349bf9f7d9b437b9cd471d456ec3bab.pdf
    • https://static.usrfiles.com/ugd/822ecd_5a86d5b651bf4f8eb5a823f917fb63b2.pdf
    • https://static.usrfiles.com/ugd/b8c837_c8ea34b0ce2541cfa679460501c7c609.pdf
    • https://cdn.shopify.com/s/files/1/0436/8980/3941/files/13965841079.pdf
    • https://cdn.shopify.com/s/files/1/0429/9948/0473/files/24801835621.pdf
    • https://cdn.shopify.com/s/files/1/0432/9373/7110/files/sufemoxajevovilafenirij.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000503e.bin
a90aebe659223a7e9adc58aa53f019cbd4c40345d2b1be02b622deeb30ba962c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x503E 4796 bytes
font_01_sfnt_off0000606e.bin
17b713f1de5262157313e5d2839600547b71f46c623e2fdc47e2142f4e793107		 pdf-font-stream PDF embedded font (sfnt) at offset 0x606E 12172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.