Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c08beee5b54fbf1…

MALICIOUS

PDF

44.9 KB Created: 2020-09-01 02:16:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61fa03d30f3db3c3034c88391236f0cc SHA-1: 4f40f9830312fab6ef386af6e62ca076852dc0d3 SHA-256: 8c08beee5b54fbf1c1dd2cd765b4f9b55502bc0d7adc31665d7d7a8deb959193
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits malicious behavior by hosting a link farm, as indicated by the PDF_SEO_LINK_FARM heuristic. One of the embedded URLs, https://ttraff.ru/wix?keyword=online+android+studio, is flagged as a known malicious redirector. This suggests the document's primary purpose is to lure users to malicious sites, likely for phishing or to download further malware.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=online+android+studio
    • https://static.usrfiles.com/ugd/4117a9_3e6d64f916e8473a9236661498c3c604.pdf
    • https://static.usrfiles.com/ugd/24853a_27932df899d646899e4337f24309ebbc.pdf
    • https://static.usrfiles.com/ugd/4dd980_fb8f01f26ef94ca7a08540c2eef64689.pdf
    • https://static.usrfiles.com/ugd/ea5d7b_7d74c6ce0c344e3eb002117032579d82.pdf
    • https://cdn.shopify.com/s/files/1/0460/7108/7268/files/rukejozagibira.pdf
    • https://cdn.shopify.com/s/files/1/0431/8609/4248/files/kamijosadakafuru.pdf
    • https://cdn.shopify.com/s/files/1/0433/3702/3656/files/agyaat_1_full_movie.pdf
    • https://cdn.shopify.com/s/files/1/0433/3040/4506/files/caterpillar_iso_9001_certification.pdf
    • https://static.usrfiles.com/ugd/b58d21_47fdd2039cf24c9a9d33e13d24c888fc.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_bda646da36cd447b8f9338255a2eea2a.pdf
    • https://static.usrfiles.com/ugd/374ce0_1caaa9a1402449b883b8f03085303a79.pdf
    • https://static.usrfiles.com/ugd/b8c837_30b21e8df89f4237b293259c0d393f57.pdf
    • https://static.usrfiles.com/ugd/111c46_71847bef6e3f4b54a31a8851c0078ca5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007227.bin
a68a73fc854d498d171b71ad6c6f3277b4a17177fd62e441f48a7e51779fd06c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7227 4844 bytes
font_01_sfnt_off000082a6.bin
3c1ea267afd9602edb0e4149ace9e8ec9f4381b5e0ea869926fa6c5527ea1df9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82A6 10744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.