Malicious PDF — malware analysis report

Static analysis result for SHA-256 5755e96bfc0adf66…

MALICIOUS

PDF

66.7 KB Created: 2020-08-29 21:22:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 40052c0f273df9169adae72cc2c5bcf8 SHA-1: 30ee8c9bc6e2c52d964f7b2466169ff1c97a0cd6 SHA-256: 5755e96bfc0adf66f6c82f96556d068c730585a326efcee7dcd8f9e7ce95bcb2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one specifically pointing to a known malicious redirector at 'ttraff.ru'. The document body, though heavily obfuscated, contains text related to 'como sacar letra capital en word 201', suggesting a lure to trick users into clicking the malicious link. The presence of numerous external links also indicates a link farm strategy.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=como+sacar+letra+capital+en+word+201
    • https://cdn.shopify.com/s/files/1/0429/8833/9354/files/wufomibaruderokak.pdf
    • https://cdn.shopify.com/s/files/1/0433/1218/5494/files/contamination_of_surface_water.pdf
    • https://cdn.shopify.com/s/files/1/0431/8851/9076/files/senawejuteseni.pdf
    • https://static.usrfiles.com/ugd/b8c837_7ab2735ed65648c4a259943546cac86a.pdf
    • https://cdn.shopify.com/s/files/1/0429/3410/8323/files/organic_chemistry_solomons_10th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0429/3676/2527/files/bulolaz.pdf
    • https://cdn.shopify.com/s/files/1/0432/7260/1756/files/wosubokobufe.pdf
    • https://cdn.shopify.com/s/files/1/0428/2574/4547/files/95961786628.pdf
    • https://cdn.shopify.com/s/files/1/0432/5313/7570/files/promissory_note_telugu.pdf
    • https://cdn.shopify.com/s/files/1/0436/4884/3934/files/99583997895.pdf
    • https://cdn.shopify.com/s/files/1/0459/9794/9087/files/megitovemajerutunesibof.pdf
    • https://cdn.shopify.com/s/files/1/0437/3757/9674/files/53805868081.pdf
    • https://cdn.shopify.com/s/files/1/0432/2207/3506/files/ruvabipidadekoveva.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b165.bin
b6753e7ae53324a62c2000a7082e5abf061d9c8f31a486bfff2622315bb190d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB165 1628 bytes
font_01_sfnt_off0000b99a.bin
d6d574ac6a898aea07fedace54ad636afdebe0fefb5a39439a36a6c5a5729ed0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB99A 5540 bytes
font_02_sfnt_off0000cc6e.bin
18b1f997b9e79cf14b22c3e89861804494f0970f9c181955c31d1ce449bdcf1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC6E 15392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.