Malicious PDF — malware analysis report

Static analysis result for SHA-256 88edd0e7be5ce322…

MALICIOUS

PDF

43.7 KB Created: 2020-08-30 04:28:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a5a25553997d5083edd4f1d0eebeafd SHA-1: 1cd87fc377caecbd25265f63267f645d311f2a0b SHA-256: 88edd0e7be5ce322c80cf65e4edd541704a675de4758b40c420d67f7a7b4ac45
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, which is also present in the document body. The link leads to 'ttraff.ru', a known malicious redirector. The document is disguised as an answer key for a worksheet to entice users to click the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=characteristics+of+life+worksheet+pdf+answers+key
    • https://static.usrfiles.com/ugd/a467d2_c745dd94208449ef83f0ba03982edf41.pdf
    • https://static.usrfiles.com/ugd/b8c837_fb4d1231028042aa8fe9fca92ba0e1e0.pdf
    • https://static.usrfiles.com/ugd/b8c837_b17ce93c91c3442898b4e0ee7fd53639.pdf
    • https://static.usrfiles.com/ugd/b65acf_d94e517d0aa74a8684eb661016999e51.pdf
    • https://cdn.shopify.com/s/files/1/0436/0696/6429/files/94339643434.pdf
    • https://cdn.shopify.com/s/files/1/0429/5350/6969/files/xemonajonetepozus.pdf
    • https://cdn.shopify.com/s/files/1/0432/3462/3643/files/turataparizagexidogokofej.pdf
    • https://cdn.shopify.com/s/files/1/0437/2643/8550/files/selamuzatorabonuxoluziko.pdf
    • https://cdn.shopify.com/s/files/1/0431/2632/5409/files/bufferin_bula.pdf
    • https://cdn.shopify.com/s/files/1/0434/0292/0086/files/rurazusunajori.pdf
    • https://cdn.shopify.com/s/files/1/0435/4818/0634/files/credit_card_risk_management.pdf
    • https://cdn.shopify.com/s/files/1/0430/7091/4717/files/16754444429.pdf
    • https://cdn.shopify.com/s/files/1/0438/8998/3643/files/xodaxagugebap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000600a.bin
cffdf8d91bcedb22fefb61eac59a82c294f356cc6c1486fe653fefe9621c197d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x600A 5312 bytes
font_01_sfnt_off0000722b.bin
1b0fc61da9da6eb34a45011a3b5da2ced2180c22d08f3a0fe9c6d371f85b0613		 pdf-font-stream PDF embedded font (sfnt) at offset 0x722B 9872 bytes
font_02_sfnt_off000093e1.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93E1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.