Malicious PDF — malware analysis report

Static analysis result for SHA-256 804c7b270a357fea…

MALICIOUS

PDF

59.5 KB Created: 2020-08-30 03:32:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b571f45a7d125b13da10803d9258d38 SHA-1: 53d3bfe2316b4d6d176df19dd7c1189e2a429f91 SHA-256: 804c7b270a357fea6ca9f6b8e9f8b2ce6425a686bfd4a9b5fa201ab21abbc536
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=delphi+programming+tutorial+01'. This URL is presented within the document body, disguised as a programming tutorial, to entice users into clicking it. The PDF also exhibits characteristics of a link farm, with numerous embedded links, suggesting a broader campaign to distribute malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=delphi+programming+tutorial+01
    • https://cdn.shopify.com/s/files/1/0433/8820/7254/files/bsnl_plans_maharashtra.pdf
    • https://cdn.shopify.com/s/files/1/0430/1488/1433/files/56404256485.pdf
    • https://cdn.shopify.com/s/files/1/0431/3477/9553/files/american_songbook.pdf
    • https://cdn.shopify.com/s/files/1/0430/0010/3071/files/72994271103.pdf
    • https://static.usrfiles.com/ugd/07625c_55a51b9fd1234d419fd1c70abcf72e8d.pdf
    • https://static.usrfiles.com/ugd/dfb5f8_ae9e5ec4096e4f71b1049b46a688e31a.pdf
    • https://static.usrfiles.com/ugd/6a22cb_46a98cb0d02149dc8df6ba4a5d642411.pdf
    • https://static.usrfiles.com/ugd/7f46b5_851e5c02e4c94cb6b10601f87be5ea49.pdf
    • https://static.usrfiles.com/ugd/067ecb_117ea2075c3946a7972cd9be3dbd0752.pdf
    • https://cdn.shopify.com/s/files/1/0435/5181/7883/files/corellian_conflict_map.pdf
    • https://cdn.shopify.com/s/files/1/0428/2515/4716/files/carol_of_the_bells_leontovich.pdf
    • https://cdn.shopify.com/s/files/1/0432/9255/7467/files/29133237663.pdf
    • https://cdn.shopify.com/s/files/1/0430/4519/1841/files/pujabuxe.pdf
    • https://cdn.shopify.com/s/files/1/0429/7539/5993/files/college_algebra_11th_edition_gustafson.pdf
    • https://cdn.shopify.com/s/files/1/0429/1559/4393/files/dufuxupigelim.pdf
    • https://cdn.shopify.com/s/files/1/0437/9800/3874/files/terapia_tanatologia.pdf
    • https://cdn.shopify.com/s/files/1/0434/0075/7398/files/trumpet_sheet_music_hallelujah_chorus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ab48.bin
8bd0c1fe5d3e65cb06dbf382cd0647f8049cc6d0c559750674b6ba1a486e5a51		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB48 5248 bytes
font_01_sfnt_off0000bd08.bin
dbd3b4655e7ec46c157c4d4d487f4a732e7d7cc197da0afbccac23d5ec194812		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD08 10460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.