Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b1ae4da9c19dc76…

MALICIOUS

PDF

35.4 KB Created: 2020-08-29 19:38:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9227a8de9a56166afcda51c8a167dea5 SHA-1: 3f8d1c799b647922c4d92efe06e5f391dc20a36c SHA-256: 9b1ae4da9c19dc76a95065769374e9707dae8dd03ac6e1b66ef92fddf17c4268
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=amerikan+pastasi+indir'. The document body, though heavily obfuscated, contains the same URL and text suggesting a download lure. The presence of a PDF link farm heuristic further indicates a malicious intent to distribute links. The primary attack pattern involves tricking users into visiting a malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=amerikan+pastasi+indir
    • https://static.usrfiles.com/ugd/b8c837_cc899b1769d7402da12a96490a872b75.pdf
    • https://static.usrfiles.com/ugd/b8c837_5a7a2156f61f4a679682296dcb0f3d50.pdf
    • https://static.usrfiles.com/ugd/565485_8d0875609d56453cb92aed43ad5416cc.pdf
    • https://static.usrfiles.com/ugd/b8c837_ca7214c10c1b47438db081708e9ff2ce.pdf
    • https://static.usrfiles.com/ugd/b8c837_5a5f503f28c84634846b6601de0d3aa9.pdf
    • https://cdn.shopify.com/s/files/1/0431/6463/1189/files/45733406878.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/26443777516.pdf
    • https://cdn.shopify.com/s/files/1/0469/0257/5266/files/2348392517.pdf
    • https://cdn.shopify.com/s/files/1/0431/3333/7768/files/30096822808.pdf
    • https://cdn.shopify.com/s/files/1/0463/1065/4109/files/fekomufitepumifijonesis.pdf
    • https://cdn.shopify.com/s/files/1/0431/1587/2423/files/electron_configuration_practice_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0431/6990/6854/files/47362843421.pdf
    • https://cdn.shopify.com/s/files/1/0437/6051/7274/files/.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000042bd.bin
8bd3ec8c1bd43274c81d2706b0d10d7f70d4cd8a122e38ce2a7512219f6ef7d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x42BD 5124 bytes
font_01_sfnt_off000053fe.bin
921b17cebf27161a3a6130e27837bef85d37792b87f1bb497a8066080b67046e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53FE 2052 bytes
font_02_sfnt_off00005cb4.bin
77ab45060084a394de5f843b6c837319f9294ceb59310347198c3965633a39d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CB4 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.