Malicious PDF — malware analysis report

Static analysis result for SHA-256 95b3371eb4d7af0d…

MALICIOUS

PDF

46.5 KB Created: 2020-08-29 18:42:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8feb422701964498fa812e3ed641d7f2 SHA-1: b61ce0c046e1373036d84416088741159f725375 SHA-256: 95b3371eb4d7af0d14520204007a85553b72e9880edadb6356aa0c306031ba97
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a link farm designed to direct users to a malicious redirector at https://ttraff.ru/wix?keyword=second+conditional+vs+third+conditio. This URL is flagged as malicious. The document body, though heavily obfuscated, contains references to this URL and other benign-looking PDF links, suggesting a social engineering lure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=second+conditional+vs+third+conditio
    • https://static.usrfiles.com/ugd/19103d_94caf11898654812bfdae693c53e2a97.pdf
    • https://static.usrfiles.com/ugd/a18aa6_6003e9de7e71420bb4bd590bb91d42f5.pdf
    • https://static.usrfiles.com/ugd/1decf9_7359220e4f844f3796f6bff6ecce8651.pdf
    • https://static.usrfiles.com/ugd/b8c837_5d787bbd8e0d44fdb1837c1c99718a4e.pdf
    • https://static.usrfiles.com/ugd/63d3ad_30fb49e203e44e5798644156efd6e33a.pdf
    • https://static.usrfiles.com/ugd/cf79db_bd03ad9eb7db4ebebd15be60e618b8a8.pdf
    • https://static.usrfiles.com/ugd/b8c837_019a09f021114217a5f58feee6ad44b6.pdf
    • https://static.usrfiles.com/ugd/ca32a8_ec34bcda07f849719f8f9f77184d7001.pdf
    • https://static.usrfiles.com/ugd/b8c837_362ce055998348668a5072dc3eb203d9.pdf
    • https://static.usrfiles.com/ugd/23e9be_e81e5b04ebd84d7a92d611de5e186cd5.pdf
    • https://static.usrfiles.com/ugd/5de1df_6a4089cc0b224adab7fa6987f0bef1ea.pdf
    • https://static.usrfiles.com/ugd/b8c837_49007b2c08644b9cad967043ba02019c.pdf
    • https://static.usrfiles.com/ugd/b8c837_35abd24c862d4319b7e29aed266c0f7d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000077b8.bin
07a2c7e14723c603170b15a05c4890376603bfaff246420c6a3656c2b6927413		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77B8 5192 bytes
font_01_sfnt_off0000894c.bin
ad2f7de6d875457fa5ab7a815c1ef5e08af20956de626bf9e526166f271f1a7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x894C 10452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.