Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0aa00ecbff1bd93…

MALICIOUS

PDF

37.3 KB Created: 2020-09-02 00:42:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a801482d277f31cba4478847f224ecd6 SHA-1: 2158ffd8958638e53d2b886c24d8d5f11d49de9a SHA-256: a0aa00ecbff1bd93628b63e126bc390b53846f52dbf7018b93e4ad60ad2a1148
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 Malicious Link T1566.002 Spearphishing Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to ttraff.ru. It also contains a large number of embedded links, many hosted on cdn.shopify.com, which is flagged as a link farm. The document body text, though heavily obfuscated, contains the malicious URL and suggests a social engineering lure to install a browser extension or update. The primary malicious URL is https://ttraff.ru/wix?keyword=chelsy+shantel+nao+quero+problema.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=chelsy+shantel+nao+quero+problema
    • https://cdn.shopify.com/s/files/1/0463/2752/9633/files/11532571915.pdf
    • https://cdn.shopify.com/s/files/1/0433/6356/5718/files/misapu.pdf
    • https://cdn.shopify.com/s/files/1/0432/7306/0520/files/color_wheel_worksheet_kindergarten.pdf
    • https://cdn.shopify.com/s/files/1/0434/1055/5041/files/12691087566.pdf
    • https://cdn.shopify.com/s/files/1/0438/9352/2587/files/kejobivumajoga.pdf
    • https://cdn.shopify.com/s/files/1/0429/0491/2031/files/tezejegujumit.pdf
    • https://cdn.shopify.com/s/files/1/0439/3166/4552/files/98037788546.pdf
    • https://cdn.shopify.com/s/files/1/0428/9613/0211/files/35381146096.pdf
    • https://static.usrfiles.com/ugd/98e298_da0818b459a74025b8fe5ba7f9b8718c.pdf
    • https://static.usrfiles.com/ugd/868f76_a336c35f797b49e1bcd8b2849e4dbb24.pdf
    • https://static.usrfiles.com/ugd/d01287_60045796c9eb42969ab9d2d1e889e1ca.pdf
    • https://static.usrfiles.com/ugd/e02969_5aeaaafc76874c33bee92ac1289d4d60.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000044bf.bin
a898b83d8c7f3e5511e2a476f073302b7f5b31f13c3130369bced04c54fd402d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x44BF 5284 bytes
font_01_sfnt_off00005688.bin
6a098193ddf50972c28fa86a21e2744745489c8479efd378bbe4ee6be3d3f067		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5688 11108 bytes
font_02_sfnt_off00007abe.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7ABE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.