Malicious PDF — malware analysis report

Static analysis result for SHA-256 97f48c63757fda04…

MALICIOUS

PDF

40.2 KB Created: 2020-09-02 07:46:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63c764add6055af6869551b43526df9c SHA-1: 0470d2f9ee02e68eb86c698c92c26602e9a9f5ac SHA-256: 97f48c63757fda040830b188dd2c08d79ee7f7155c1310c9d2fa3bd322ca4b38
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a link farm containing numerous external links. One of these links, 'https://ttraff.ru/wix?keyword=caterpillar+engine+codes', points to known malicious redirector infrastructure. The document body contains obfuscated text and embedded URLs, suggesting an attempt to lure users into clicking the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=caterpillar+engine+codes
    • https://static.usrfiles.com/ugd/b65acf_e9c107a8d9f54e8ba125e81e13f39bf6.pdf
    • https://static.usrfiles.com/ugd/b8c837_85c5b475ebea4a0083cc6db326990085.pdf
    • https://static.usrfiles.com/ugd/ac51ce_a37a908ae77d43528b4d2cdcb03fb16b.pdf
    • https://static.usrfiles.com/ugd/b8c837_269a0ae271c24819a837d7c986639da6.pdf
    • https://static.usrfiles.com/ugd/f65518_da308af0a5fc441aa712dc0bf155cea2.pdf
    • https://static.usrfiles.com/ugd/f967ac_1bd79417a83e4cd1a21116de7b437a0e.pdf
    • https://static.usrfiles.com/ugd/cdb50c_196cb21a518643159eb386f8d32931c3.pdf
    • https://static.usrfiles.com/ugd/b8c837_6f7f3190808d45b599d585a6502508f3.pdf
    • https://static.usrfiles.com/ugd/0582e0_5f12df68ae314f44acf97a3eb72c2c14.pdf
    • https://static.usrfiles.com/ugd/0789d5_0dde53f195a54bbb949314cad7b717e8.pdf
    • https://static.usrfiles.com/ugd/762c1a_b16418233ea340939f19be10f4e18880.pdf
    • https://static.usrfiles.com/ugd/b8c837_d7ef624ea4c24ec9b07957656968102d.pdf
    • https://static.usrfiles.com/ugd/b8c837_111be8e04a0643abb911abb56fa8c3e2.pdf
    • https://static.usrfiles.com/ugd/b8c837_a811c98b19fb400c9221fc933725b746.pdf
    • https://static.usrfiles.com/ugd/e66789_f6c1a146c02249ac89651da145223951.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f86.bin
9c2b737db7bffc855c803ffc89fe1d5e4d48b35eb9c78a0bcfd1c966e944e858		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F86 5144 bytes
font_01_sfnt_off0000710d.bin
2d2a781f0be9a760e86df85868520c2326037540141708f0887e25a0b2db2571		 pdf-font-stream PDF embedded font (sfnt) at offset 0x710D 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.