Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f2c889fe34a5c09…

MALICIOUS

PDF

46.3 KB Created: 2020-08-31 06:42:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88846e3c79278a41e96d9c574ceee634 SHA-1: 7d447a840c72bbfdcd7a56e58e09952ec05bc82e SHA-256: 9f2c889fe34a5c0984a5dcf10d2c2b810ce82347001362ab0db15ae0e42a4b7a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=dominos+allergy+menu'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The file also contains a heuristic for a PDF link farm, indicating a broader campaign to distribute malicious content. No scripts were extracted, and the family is unknown due to the lack of specific indicators.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=dominos+allergy+menu
    • https://static.usrfiles.com/ugd/735189_6ac35cf5e63c43528a43cc1db51b1cd8.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc17681cc45544259d04b49a771b5b28.pdf
    • https://static.usrfiles.com/ugd/10e3af_9e7addf1d9da49fc95225901a58ec0a1.pdf
    • https://static.usrfiles.com/ugd/67e251_06d2a4f39ada4df9a3ca7b78155c2bf0.pdf
    • https://static.usrfiles.com/ugd/accd1f_c574e2bbfa31403aaec5d02175589a25.pdf
    • https://cdn.shopify.com/s/files/1/0430/6645/8265/files/catalog_supreme_cable.pdf
    • https://cdn.shopify.com/s/files/1/0435/4329/8207/files/john_deere_216.pdf
    • https://cdn.shopify.com/s/files/1/0437/0140/3801/files/rinum.pdf
    • https://cdn.shopify.com/s/files/1/0438/5911/6182/files/rooftop_swimming_pool_construction_details.pdf
    • https://static.usrfiles.com/ugd/b8c837_183dee66511e41689441a2e662871401.pdf
    • https://static.usrfiles.com/ugd/23b571_fa92e0995663460a9722993485e4912b.pdf
    • https://static.usrfiles.com/ugd/628a76_674d6da7a94a41bbb61dcd6ee8c8c1d4.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_08d18f35ac824271b3045c7fe9f4cb2d.pdf
    • https://static.usrfiles.com/ugd/ea9bdf_4ece5e9d1ea64b2f8f1a55b38e160589.pdf
    • https://static.usrfiles.com/ugd/585b1d_88d203b63b8e4ee69e32a4a95b7a1676.pdf
    • https://static.usrfiles.com/ugd/0a052f_69bd49bb578f4132be20cd94e8610677.pdf
    • https://static.usrfiles.com/ugd/47b1e8_b541e32a6494413ab750d3bbc24f1021.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d95.bin
1ea0aac13d7fcffe15d5b94c046be3a9da5247763f077d7823de267ea57433e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D95 5104 bytes
font_01_sfnt_off00007ee1.bin
e7aa2e2f3e5d87fe60986347325a2946b1f3e2b21baca86803ec786c35c6089b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EE1 14548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.