Malicious PDF — malware analysis report

Static analysis result for SHA-256 90acab2083dbdc36…

MALICIOUS

PDF

71.4 KB Created: 2020-08-31 10:07:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78c6994e89f682888de1c77b650470e4 SHA-1: a595d2429e3bc391ef45602668f0032d08a63145 SHA-256: 90acab2083dbdc362fc45490060078ad91a6529837444f838e2fb5d399a0d24d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with a critical heuristic firing indicating a malicious redirector link. The primary malicious URL identified is https://ttraff.ru/wix?keyword=%25D9%2584%25D8%25B9%25D8%25A8%25D8%25A9+%25D8%25AC%25D9%2586%25D8%25B3+%2528%25D8%25B3%25D9%2585%25D8%25A8%25D8%25B3%25D9%2588%25D9%2586%2529+%25D9%2585%25D8%25AC%25D8%25A7%25D9%2586%25D9%258A%25D8%25A9. While many other links point to benign Shopify domains, the presence of the redirector suggests a phishing or scam attempt. No scripts were extracted, and the document body was unreadable binary data.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=%25D9%2584%25D8%25B9%25D8%25A8%25D8%25A9+%25D8%25AC%25D9%2586%25D8%25B3+%2528%25D8%25B3%25D9%2585%25D8%25A8%25D8%25B3%25D9%2588%25D9%2586%2529+%25D9%2585%25D8%25AC%25D8%25A7%25D9%2586%25D9%258A%25D8%25A9
    • https://cdn.shopify.com/s/files/1/0435/8973/0472/files/jodute.pdf
    • https://cdn.shopify.com/s/files/1/0433/5819/1768/files/51086828620.pdf
    • https://cdn.shopify.com/s/files/1/0430/6396/7906/files/dadikozewewedamidupev.pdf
    • https://cdn.shopify.com/s/files/1/0432/7797/5717/files/50731695943.pdf
    • https://static.usrfiles.com/ugd/1c90dc_87509a18861e4e6891beb6601b8f7b83.pdf
    • https://static.usrfiles.com/ugd/6908d7_53acf3c068444605be5e9297b8290c1d.pdf
    • https://static.usrfiles.com/ugd/3d0627_67a636ebebbd441bb4dded39e735765a.pdf
    • https://static.usrfiles.com/ugd/5926b4_ea83f46b231541829769ca82f9c97e56.pdf
    • https://static.usrfiles.com/ugd/83b1b3_4c4163beeb5447fdb829f5b1b3806427.pdf
    • https://static.usrfiles.com/ugd/9a242c_87d2377889bf494ea6c7d2ff404fa500.pdf
    • https://static.usrfiles.com/ugd/89064d_ded1572c28f44718905c33c75694b741.pdf
    • https://static.usrfiles.com/ugd/ca32a8_2970018c6c3c4676afd51602e7a92377.pdf
    • https://static.usrfiles.com/ugd/b8c837_6e47c7c7d1a6442d8ebdcdc9369fa4d1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000d711.bin
a82ff9114f08ba13b8acc90f049a408bfce4e7bc4cb734e8d10890f5611b81b4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD711 31080 bytes
font_00_sfnt_off00008150.bin
7dfd8f7f742685eb0a11211debeead47d600a0dd1fe0c4ed8267bb7397e83cc2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8150 4220 bytes
font_01_sfnt_off00008fc4.bin
93922fec98488202c4277ece26cf064b31bc663cccbd1c55cb046e9d44a0c211		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FC4 4380 bytes
font_02_sfnt_off00009d41.bin
c56f8382be2909058aa154c0497022df36331499c7fd7a7328ac6f4173d04564		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D41 18248 bytes
font_03_sfnt_off0000b8c6.bin
e2a2548cbda0558dcb3fb48a1403e4caacb9c888646874d55a5cf2d676f89df2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB8C6 8872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.