Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ffc12e409200297…

MALICIOUS

PDF

46.2 KB Created: 2020-08-29 09:31:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 560f4ec1bbb7ce0b4b027c05548dc7c5 SHA-1: 3c58b4b9d304b6314a30a10bcb8557e6c6744a2c SHA-256: 9ffc12e4092002977e753c561bc030bc8f8bcc3e0ba3a36dd178b7e0458527e4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of the primary links directs to a known malicious redirector at ttraff.ru. The document body, though heavily obfuscated, contains the URL for the redirector, suggesting a social engineering lure to drive traffic to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=areas+funcionales+de+una+empresa+constructora
    • https://static.usrfiles.com/ugd/b8c837_471ef8e33f964ebba8d3aa96f8b02e83.pdf
    • https://static.usrfiles.com/ugd/b8c837_d160ce30a08f43b8a5703c44dd9143de.pdf
    • https://static.usrfiles.com/ugd/b8c837_efefcd1dc6be4d60a5485c2ced8d6de7.pdf
    • https://static.usrfiles.com/ugd/b8c837_30e52e76c26a4a27a458c873ae60bbbf.pdf
    • https://static.usrfiles.com/ugd/b8c837_72ce9d8498b841539ece29581a757d95.pdf
    • https://static.usrfiles.com/ugd/b8c837_a69c188e6dac4e05bb7d09d2ebeec3c7.pdf
    • https://static.usrfiles.com/ugd/b8c837_f99bd3d67a4b4b1f82edcba6edde4e40.pdf
    • https://static.usrfiles.com/ugd/b8c837_e0423ceeae1e49b89fbef4b798fe1870.pdf
    • https://static.usrfiles.com/ugd/b8c837_d59cec74088c4297bda894a3449ecb75.pdf
    • https://static.usrfiles.com/ugd/b8c837_f0b2e80b34c54a74b32ebd3bea2f8190.pdf
    • https://static.usrfiles.com/ugd/b8c837_0236fac4ae7746e88600013b3f1d13ec.pdf
    • https://static.usrfiles.com/ugd/b8c837_7bc2e472518c4cb5971b155f53cfe5c8.pdf
    • https://static.usrfiles.com/ugd/b8c837_e14af3858e1a4c8395955d88307a7e7a.pdf
    • https://static.usrfiles.com/ugd/b8c837_83c94c35d1d04a19bc32a8329cb88f04.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073bc.bin
659784129386bbc1b1fb7428232cfcae14ea8e507b3b25052787671f185ef9ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73BC 5288 bytes
font_01_sfnt_off0000859a.bin
ffe5d34290c35a12cb954773334e0c87045865c48d004d7f75ec332f0f9d53a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x859A 11140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.