Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ceefebc57d6a4d7…

MALICIOUS

PDF

49.9 KB Created: 2020-08-31 12:09:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 864154fd0f59f71f9aa03560cd20ed2e SHA-1: bd4b84b1d08be2e15141d2b51b5d1d5b0eaed8f2 SHA-256: 7ceefebc57d6a4d7b2c1ca8da7feb87afbf70061073362c1ddd8429f994d8038
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a link to a known malicious redirector at ttraff.ru. The document body, though partially corrupted, contains text related to 'bodyweight exercises' and the URL that triggered the redirector. This suggests a social engineering lure to direct users to malicious infrastructure. No scripts were extracted, and the primary malicious activity appears to be redirection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=list+of+bodyweight+exercises+wikipedia
    • https://static.usrfiles.com/ugd/6cf392_ec08a38a5303411abdb9993336f225a7.pdf
    • https://static.usrfiles.com/ugd/fb83f1_db66e734b4ee48e18fc7b05d9ea22031.pdf
    • https://static.usrfiles.com/ugd/b8c837_4acfadd291864b518481b4509a48d2e0.pdf
    • https://static.usrfiles.com/ugd/850f07_40047a793294485d8726c1acf29b3d1e.pdf
    • https://cdn.shopify.com/s/files/1/0437/7752/3861/files/human_anatomy_9th_edition_marieb.pdf
    • https://cdn.shopify.com/s/files/1/0431/8851/9080/files/lebujixesaligipetuwor.pdf
    • https://static.usrfiles.com/ugd/cc089a_dcf994d2d9574a8789242cd8597ab082.pdf
    • https://static.usrfiles.com/ugd/b28561_1e3a00701546440190510a21cff05139.pdf
    • https://static.usrfiles.com/ugd/1be480_46e4010fe3454071b2de3cce3740483d.pdf
    • https://static.usrfiles.com/ugd/fd7405_f9e43155e4dc4e13831432e45735197f.pdf
    • https://static.usrfiles.com/ugd/c0fca2_d9c1feef25e84e41ac888c8ef643c439.pdf
    • https://static.usrfiles.com/ugd/b8c837_f7a6cfca65204dce83d680068a15a65a.pdf
    • https://static.usrfiles.com/ugd/374ce0_07f4291d831f4afa8a7631dbc79681a0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000758b.bin
57f49be89e2e57e2f99bdcf8127b1a2faa2b36af0da50782f1af9cb5d7acc0e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x758B 5472 bytes
font_01_sfnt_off00008857.bin
a70344dba899bd225537e51a33868fec045efe99b32631ee422e79b0982246f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8857 10700 bytes
font_02_sfnt_off0000aca9.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACA9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.