Malicious PDF — malware analysis report

Static analysis result for SHA-256 573306d51b6aad84…

MALICIOUS

PDF

61.0 KB Created: 2020-08-31 13:48:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7757e12476be64d5b1da5b925160150a SHA-1: e58856c62f88a669005c80dbcbee65daa4c0ec09 SHA-256: 573306d51b6aad84d2b812b46aa7158462775af803ce9c80f4f507528871c042
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, 'https://ttraff.ru/wix?keyword=at%2526+t+outage+report+today', is flagged as a malicious redirector. This suggests the document's primary purpose is to lure users to malicious sites, likely for phishing or to download further malware.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=at%2526+t+outage+report+today In PDF document text
    • https://static.usrfiles.com/ugd/b4609a_ea38a3022e544529a5660657bce40a72.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/e2f197_fc0db8873dc54531b7d75b7032fddca8.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/10e3af_6859f7b04d4b421f8b9dba25114c0b29.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/c345b0_3b737dbe04794e11887e8f4d6d8b5232.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/4f270c_bd3167d1c0e049478f00f73b1d39daa3.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/cafc24_115657b0535a402cb23c811cef3b9204.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/8de238_7b415161dced467f81a2e830083bd0cb.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/6c032c_f5485dc758d7441ea59ea5eb3cdac3d5.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0427/7311/9143/files/dodikogikejapoxe.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/9502/4033/files/zijibuguzozuxozafuv.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_31ae5b9fda44486e9c06b3ae4c9525ad.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/d775a9_9086fbc2f12a4af9b9e5e6eb0eaf0248.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_1a50513b71d841099b13879ecfc9f6ef.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_f83e8e3d58ce4460a856622d799ad8ff.pdfIn PDF document text
    • https://static.usrfiles.com/ugd/b8c837_24e161106c194280bc354221f0f6fc7c.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000908e.bin
03ac0af74e94c53884f9036204eff7fddfabe4761e42afdf6fe8c1e36085663d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x908E 3460 bytes
font_01_sfnt_off00009d11.bin
b5c1bb37bc67a10175673d8add07a47736101b1af0b60fb6bf32e713008d04ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D11 4144 bytes
font_02_sfnt_off0000ab34.bin
b5e4073b6e648f5c5bd4941f5afaa56dd23d993ebbfdfe66bc59f144d34de333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB34 11196 bytes
font_03_sfnt_off0000d118.bin
f0898dad4ca575ee7ec65d37881b711376a04131121ff607c532cb07eb4dc320		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD118 16104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.