Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d853c4188ed18d1…

MALICIOUS

PDF

47.4 KB Created: 2020-09-02 18:17:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8adae831658d770d23192fce96c738e3 SHA-1: b32eb20fc99bdf8c9e6e0602d8c55e271a7fc723 SHA-256: 9d853c4188ed18d13c88a943e8d8eb086c0b1f12732a4320e2adfbe4c4930c32
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is disguised as a 'microsoft software inventory analyzer tool'. This, combined with the heuristic indicating a fake invoice/payment lure, suggests a phishing attempt. The document also contains a large number of external PDF links, many pointing to static.usrfiles.com, which is likely part of a link farm to improve search engine ranking for malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=microsoft+software+inventory+analyzer+tool
    • https://static.usrfiles.com/ugd/1cc777_47e215ac888a4b09ab1d80dd9e419425.pdf
    • https://static.usrfiles.com/ugd/9b33c5_31e0e7ce3df1427895e0d41c6c1bf8c2.pdf
    • https://static.usrfiles.com/ugd/fd30ac_ce254259459a4c94a112bdc8964e63a1.pdf
    • https://static.usrfiles.com/ugd/d79848_2a149f70e2754dd38c798a55e0bb8de6.pdf
    • https://static.usrfiles.com/ugd/3ab5ed_f889c3379dda42d59b31e7097013f262.pdf
    • https://static.usrfiles.com/ugd/b77b08_c6f269436b174cceb2f53d5fb894e7fc.pdf
    • https://static.usrfiles.com/ugd/5a1791_450dfd1c35924cb6bd3f652b67060906.pdf
    • https://static.usrfiles.com/ugd/c8a981_819cfe1ef9a8472ab4f0aa933a998798.pdf
    • https://static.usrfiles.com/ugd/b7082a_6a98d8fbee3648f992bb6775ae40c3b4.pdf
    • https://cdn.shopify.com/s/files/1/0461/8341/5971/files/genetec_omnicast_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/6931/7013/files/zulasodogexo.pdf
    • https://static.usrfiles.com/ugd/fd7405_23587c2542ee4f4e9c856efe5911ea54.pdf
    • https://static.usrfiles.com/ugd/1f5cef_9eb74b272b2c49a5b1fea5d91e7b639a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b01.bin
a58337ee990e7124e7ab0da5610993ba1bffb55a88c2725ea50df3bddd037151		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B01 5184 bytes
font_01_sfnt_off00008ce2.bin
65e01855d2cc13a5914b9a9ac0c73ce0159b59f9f06f8db7fb422263acaa1577		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CE2 10416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.