Malicious PDF — malware analysis report

Static analysis result for SHA-256 903ccd45f51c0703…

MALICIOUS

PDF

46.2 KB Created: 2020-09-01 00:05:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 44cfa2b1a8adc01a93c1593b611c4892 SHA-1: 48e4c7b469564f01d5a88853b687005d084e9d76 SHA-256: 903ccd45f51c070366ad2771e4d2d874c9e20d24f26772dd1f11ec9acf66f587
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded links that point to a known malicious redirector, ttraff.ru. The document body, though heavily obfuscated, contains the URL and appears to be a lure for financial templates. The presence of multiple links to static.usrfiles.com suggests a link farm or content distribution network used to host the malicious PDF. No scripts were extracted, but the PDF structure and embedded links strongly indicate a phishing or redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=profit+and+loss+template+numbers
    • https://static.usrfiles.com/ugd/9ff9b8_431c18df74584f30b483f413f5d18c6b.pdf
    • https://static.usrfiles.com/ugd/9421c8_57004961294d44c3aab7838986dfc41b.pdf
    • https://static.usrfiles.com/ugd/a838c0_9c13097fc0664ec2a6c11c3e0188f54c.pdf
    • https://static.usrfiles.com/ugd/51c472_ec269137c05b4c93bbc3c6443c8da920.pdf
    • https://static.usrfiles.com/ugd/4b68be_c82bbc5902c6456883b3d70dd2dfa9ac.pdf
    • https://static.usrfiles.com/ugd/b910ae_f72d767b5e234cdb8d7ab14d7ef383ca.pdf
    • https://static.usrfiles.com/ugd/b8c837_e3fd023897294987986df00c7fe39778.pdf
    • https://static.usrfiles.com/ugd/43d598_cbc4e16a2cda4eb594379bb69ac1a35b.pdf
    • https://static.usrfiles.com/ugd/4dd980_440ceeac44d6441987b7b211c84b832a.pdf
    • https://static.usrfiles.com/ugd/87fdc7_4d6923e5dafc42eba2149fa9370a9ed2.pdf
    • https://static.usrfiles.com/ugd/ae059d_0265ceb658124ed285162366ff0e18de.pdf
    • https://static.usrfiles.com/ugd/6f7357_c455e242216e4929bb736c4bb8b7a1a7.pdf
    • https://static.usrfiles.com/ugd/822ecd_f2b9ee5fddcf47cab6ebac76d51791e6.pdf
    • https://static.usrfiles.com/ugd/5ed537_29c8f1b2c2be4cedbeae7f14fee53dbd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007512.bin
47c1688ad09a6ef50bf9888b6afd9bc13a9763a55175949b1e45591131c698cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7512 5328 bytes
font_01_sfnt_off00008711.bin
15acf3654f72fb3c5bea17b4878c7dc7f8265ca1388698cabfc9eb1af3e1f569		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8711 11328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.