Malicious PDF — malware analysis report

Static analysis result for SHA-256 94f0f390279d645f…

MALICIOUS

PDF

36.1 KB Created: 2020-08-29 14:44:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4396dfd4403eac2f05df9fe45239085b SHA-1: e9a28de543bbc80dfae2e27325286f3404152a10 SHA-256: 94f0f390279d645ff61229e5fc83dac50a338635e56b14554d2d2cac99cdf3b0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=peavey+amp+serial+number+lookup'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many pointing to 'static.usrfiles.com'. The document body appears to be corrupted or obfuscated, but the presence of the malicious redirector URL is the primary indicator of malicious intent, likely serving as a lure for further malicious activity.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=peavey+amp+serial+number+lookup
    • https://static.usrfiles.com/ugd/b8c837_6b50bcbcf018438aa93353c7cc087134.pdf
    • https://static.usrfiles.com/ugd/b8c837_48dfbe299e9a4f2b8cf9536bfa38540c.pdf
    • https://static.usrfiles.com/ugd/b8c837_4adedca71c6249a7bcc29ecf813a5d93.pdf
    • https://static.usrfiles.com/ugd/b8c837_c03b92a567b24e02867ff4b7cdb0cf4c.pdf
    • https://static.usrfiles.com/ugd/b8c837_c07078fac9d04a0caddf1b60a8167997.pdf
    • https://static.usrfiles.com/ugd/b8c837_70c3ed30593944dfab658a37850a33e9.pdf
    • https://cdn.shopify.com/s/files/1/0432/8574/1726/files/crystal_report_8._5.pdf
    • https://cdn.shopify.com/s/files/1/0438/7710/5832/files/vibegizixapoke.pdf
    • https://static.usrfiles.com/ugd/b8c837_767516d29e734ebca158c269edd07f9c.pdf
    • https://static.usrfiles.com/ugd/b8c837_74fa95b602744448aa61b1252f47909b.pdf
    • https://static.usrfiles.com/ugd/b8c837_4428a6865b444c5a8e2229b284c24979.pdf
    • https://static.usrfiles.com/ugd/b8c837_7ccc27ae87d3470b8452156fc45d0996.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e2f.bin
0ad903a4e91e531bcd2458353e51b88e4a195265b686b658775c88bb62b8149f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E2F 5332 bytes
font_01_sfnt_off0000603c.bin
cf90a92ccbf4990cc5fb086f6d396eccb3afed4f200683ef8f7b8d93006b1c4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x603C 10384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.