Malicious PDF — malware analysis report

Static analysis result for SHA-256 82399e93503d69e3…

MALICIOUS

PDF

46.4 KB Created: 2020-08-22 07:48:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72c6e10044504d1bbc3908a09599065a SHA-1: c72587d8f42885b8c58b68c0db6dc556b161676f SHA-256: 82399e93503d69e3729fff3526723f837e13e1b3f7a70854556bc5067c19293d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to a redirector service. The primary malicious URL identified is ttraff.ru, which is known to host malicious content. The document body, though heavily obfuscated, contains references to the target URL and appears to be a lure for a financial report. No scripts were extracted, but the PDF structure and embedded links strongly suggest a phishing or redirection attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=burkhalter+holding+ag+annual+report
    • http://files.jmn-i.com/uploads/1/3/1/4/131411539/sanorezizobe_velufok.pdf
    • http://files.coobcoffee.com/uploads/1/3/1/4/131437750/da084fa3cf7e.pdf
    • http://xevojo.emilyfuchs.ca/uploads/1/3/1/4/131409236/sopaxama.pdf
    • https://cdn.shopify.com/s/files/1/0431/0423/9770/files/artie_shaw_clarinet_concerto.pdf
    • https://cdn.shopify.com/s/files/1/0432/8049/8852/files/samotal.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rejupabofutub.pdf
    • https://cdn.shopify.com/s/files/1/0428/8095/8617/files/55252267877.pdf
    • https://cdn.shopify.com/s/files/1/0434/0714/7162/files/solomabujujixejegamo.pdf
    • https://cdn.shopify.com/s/files/1/0434/9827/4978/files/nigetekat.pdf
    • https://cdn.shopify.com/s/files/1/0440/5713/3221/files/captain_america_comics_free.pdf
    • https://cdn.shopify.com/s/files/1/0436/8000/6294/files/catalogo_avon_campaa_4_2020.pdf
    • https://cdn.shopify.com/s/files/1/0427/3097/9495/files/5275382561.pdf
    • https://cdn.shopify.com/s/files/1/0433/7264/2454/files/71129197676.pdf
    • https://cdn.shopify.com/s/files/1/0435/6472/8483/files/54316667362.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066fc.bin
26c66ea556fc7f436ed7c08a0852e78c49909d782148ca8d1c6411a945192dee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66FC 5036 bytes
font_01_sfnt_off00007811.bin
957521158425214f369c37be8b13b142be0f62b4aa1f0ec5a67d42a276a565ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7811 11292 bytes
font_02_sfnt_off00009e92.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E92 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.