Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ec7af5ad4bbf6b5…

MALICIOUS

PDF

47.1 KB Created: 2020-08-29 22:57:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c0b936f77e235a4941ad1a2b01339c2 SHA-1: c48806d3d319fdb1c3966036f79cf2408381ebf8 SHA-256: 8ec7af5ad4bbf6b590015c904f50fbdfb8602531e8e9f6bb2705313d01998359
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as a malicious redirector due to the presence of numerous external links. One critical heuristic flagged a link to `ttraff.ru`, which is known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the same URL and references to other PDF files hosted on `static.usrfiles.com`, suggesting a link farm or SEO poisoning tactic. The primary intent appears to be directing users to malicious content via the `ttraff.ru` URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=frank+whitby+university+of+utah
    • https://static.usrfiles.com/ugd/b8c837_32307e46f22b4d13a12dade640d34f83.pdf
    • https://static.usrfiles.com/ugd/565485_c561570f37c54bc490358d1bdd297a57.pdf
    • https://static.usrfiles.com/ugd/cf14a4_02dfe502f5dc402fb5b92e935983e7e9.pdf
    • https://static.usrfiles.com/ugd/b8c837_9825a9fdc3954a0e9e0552a59b86333b.pdf
    • https://static.usrfiles.com/ugd/b8c837_794b5c0f66064eee9cdda046c14ab03f.pdf
    • https://cdn.shopify.com/s/files/1/0432/7879/4920/files/tesla_model_x_specs.pdf
    • https://cdn.shopify.com/s/files/1/0434/3837/5074/files/77132524120.pdf
    • https://static.usrfiles.com/ugd/b8c837_edbf9d3e982a4cc5be79995981a2a573.pdf
    • https://static.usrfiles.com/ugd/b8c837_a0bad03dd9e14df385d2d34b03e16fb8.pdf
    • https://static.usrfiles.com/ugd/b8c837_96ca8690fda74c27bbbcaf388d325fc6.pdf
    • https://static.usrfiles.com/ugd/b8c837_423da957b24945749e3364e832b5d02a.pdf
    • https://static.usrfiles.com/ugd/b8c837_82978ccb474743e383af397d10f35d19.pdf
    • https://static.usrfiles.com/ugd/65b209_336d98e4ffa947969f7467d09c28c110.pdf
    • https://static.usrfiles.com/ugd/ec0c41_1f65ea87f66340d3998bc39d0dd90ebd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f85.bin
593c98a620d0279490ad74f86953f450c439448b108b811ec82a833d4d1785f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F85 5236 bytes
font_01_sfnt_off0000716a.bin
f75365990300ab92b136a968464806c48e9e348db062e98c91ea46e0f489adc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x716A 10268 bytes
font_02_sfnt_off000094c5.bin
9bb10d83f7fc04780445ff594c84378026daecedb7806248e34a32adbdaf2e6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94C5 17588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.