Malicious PDF — malware analysis report

Static analysis result for SHA-256 987f32bed57b271d…

MALICIOUS

PDF

41.8 KB Created: 2020-08-30 09:55:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d80252f14fb21a7f337462d67c9954b SHA-1: b9d4668cd972cd4778136849225327139c13b4fa SHA-256: 987f32bed57b271d0e85c456a99821968fc9604c7dd6b94c4f2862793425fb66
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/wix?keyword=farberware+pressure+cooker+owner%2527s+manual'. Additionally, it exhibits characteristics of a PDF link farm, with numerous external links, many of which are to static.usrfiles.com. The document body, though partially garbled, contains text related to a 'Farberware pressure cooker owner's manual' and includes the malicious URL, suggesting a lure to a potentially malicious site. The presence of a callback phishing lure heuristic further supports the malicious intent.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=farberware+pressure+cooker+owner%2527s+manual
    • https://static.usrfiles.com/ugd/b8c837_cf8f1c74bba84346a52ba7176da17185.pdf
    • https://static.usrfiles.com/ugd/b8c837_9715053a54e94b3b8f940633536883ea.pdf
    • https://static.usrfiles.com/ugd/b8c837_a89861ec2d0148a5bc7c1a34fe376d43.pdf
    • https://static.usrfiles.com/ugd/97634b_2f97ad0e090a477d912ffd8d7b0d003f.pdf
    • https://cdn.shopify.com/s/files/1/0433/6612/1623/files/sql_server_dba_scenario_based_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0430/5548/0981/files/probability_using_permutations_and_combinations_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0432/0994/9341/files/gevakemorugubimesekagif.pdf
    • https://cdn.shopify.com/s/files/1/0427/4431/6070/files/binary_to_hexadecimal_conversion_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0435/4542/8120/files/finding_the_discriminant_worksheet.pdf
    • https://static.usrfiles.com/ugd/10e3af_bbf2e9ab7be44d8085866c01857363dc.pdf
    • https://static.usrfiles.com/ugd/b8c837_33284a30091f4077a062a2edbcfe5c9e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006208.bin
d8fbbc8ef4518e582c4c168bb1466c3b233f1d25717a81915c0986a6ec02c282		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6208 5364 bytes
font_01_sfnt_off0000744b.bin
620270bea6f79ce09a8a56942f40ca8bf3aee4a0869973e5eae7a1d26211ebf5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x744B 11216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.