Malicious PDF — malware analysis report

Static analysis result for SHA-256 96c2e032308f59b7…

MALICIOUS

PDF

36.5 KB Created: 2020-08-31 05:31:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e228d231e264d0d0407203e005d22f4 SHA-1: 57d1418e61c9428aac4bae3ac8e7a65b029b1758 SHA-256: 96c2e032308f59b71b5d12dfb302b7aef9ba4fbbf1f1a8c528656b0c7c577fa3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=usos+e+costumes+dos+tempos+b%25C3%25ADblicos'. Additionally, another critical heuristic indicates a PDF link farm with numerous external links, many hosted on Shopify. While some linked PDFs are benign, the presence of a known malicious redirector suggests a malicious intent, likely to lure users to harmful content or phishing sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=usos+e+costumes+dos+tempos+b%25C3%25ADblicos
    • https://static.usrfiles.com/ugd/1e32c2_3ab11aefe0eb44c1865a80e4200bc7ad.pdf
    • https://static.usrfiles.com/ugd/726ec9_19bf0c228d4640d886077cbe8de7dd05.pdf
    • https://static.usrfiles.com/ugd/2274a7_6c60657c526a4392a97568b2b1735d7b.pdf
    • https://cdn.shopify.com/s/files/1/0433/4714/8950/files/star_vs._the_forces_of_evil_the_magic_book_of_spells_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/2804/6233/files/tesaxesukapodidizunew.pdf
    • https://cdn.shopify.com/s/files/1/0433/3158/4153/files/63671036208.pdf
    • https://cdn.shopify.com/s/files/1/0433/2804/5209/files/minecraft_max_enchantment.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/the_birth_of_african_american_culture.pdf
    • https://cdn.shopify.com/s/files/1/0429/4190/7110/files/kuzelabanituzogajiz.pdf
    • https://cdn.shopify.com/s/files/1/0431/6954/6395/files/pitobipawevagirimoxeja.pdf
    • https://cdn.shopify.com/s/files/1/0435/8062/0963/files/zozebipusowunixe.pdf
    • https://cdn.shopify.com/s/files/1/0432/1548/7137/files/60898667834.pdf
    • https://cdn.shopify.com/s/files/1/0437/1028/3931/files/44368115209.pdf
    • https://cdn.shopify.com/s/files/1/0431/2930/7287/files/66893450667.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d38.bin
7d6155b29727e74c4e8af0b383213c547cc4f039ad5ff3a798a981c12736c0a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D38 5100 bytes
font_01_sfnt_off00005e7e.bin
ab1952b18b79bab72d067942eab7c4205a12df5ef634afdda10c2c734f9e5148		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E7E 12256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.