Malicious PDF — malware analysis report

Static analysis result for SHA-256 875e6bd1a1eae040…

MALICIOUS

PDF

39.3 KB Created: 2020-08-31 15:16:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 53eb9dfc942e0c884edded6dd6c469e7 SHA-1: ea85a6eb15ec380f856be3890d97c3491d00b019 SHA-256: 875e6bd1a1eae040f1145dba9fc8fff6ea1b5f9a15554d654f1fcd1f7ebfbfce
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=contractions+worksheet+free'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links to external PDFs hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the same malicious URL and benign-looking PDF titles, suggesting a lure to disguise the malicious intent. The primary goal appears to be directing users to the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=contractions+worksheet+free
    • https://static.usrfiles.com/ugd/b8c837_dd5307d50f8c420bb8eef6f98dc113ef.pdf
    • https://static.usrfiles.com/ugd/078c79_ddd8d24c8f824c0192018603319c103d.pdf
    • https://static.usrfiles.com/ugd/34ec99_a3ac4bc901e54e9bad75fa078c8b4922.pdf
    • https://static.usrfiles.com/ugd/b8c837_3279adcd308141108f647b98d0b30610.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_2e88b47714ee40f5b1b8bf55be2a1792.pdf
    • https://static.usrfiles.com/ugd/b8c837_ee9db509fe3b41b8b98ae1688667e26e.pdf
    • https://static.usrfiles.com/ugd/b4a829_b613eb22b22e41459582f846f6d57bb7.pdf
    • https://static.usrfiles.com/ugd/b8c837_9205e142f72a4937a5e236e07320cc8b.pdf
    • https://static.usrfiles.com/ugd/98857b_944a92a0d83748f1b8322f804db873a9.pdf
    • https://static.usrfiles.com/ugd/738632_0ac23ef679004b5fbc935432acb792e1.pdf
    • https://static.usrfiles.com/ugd/b8c837_c22b1b2e990942fdb564d53f60248541.pdf
    • https://static.usrfiles.com/ugd/69695d_a1a9399fe557446e845851a2d3f44f4e.pdf
    • https://static.usrfiles.com/ugd/22739b_cff9c5aab2814345bf8a3949a3f91d6d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c44.bin
1ca8c3857279e9cfd108db76d5e75914051ea759d9ce7e538f6e50f3fdf54eea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C44 4996 bytes
font_01_sfnt_off00006d4c.bin
e32016d2b7c5cf2982eecb815375797aa7b5e1f21a3d3c3029912fddf11304fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D4C 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.