Malicious PDF — malware analysis report

Static analysis result for SHA-256 a140c77a1347a143…

MALICIOUS

PDF

43.8 KB Created: 2020-08-06 09:39:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 559c712407cdf96eec720601abde05f0 SHA-1: 99adc4ae2bc6ec5a72d662d3290be3086b287925 SHA-256: a140c77a1347a143471b3e775198ef90eb9ab5be5817ddd562c4e3fd9a9d200d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a technique often used to redirect users to malicious sites. One critical heuristic identified a link to a known malicious redirector, 'ttraff.ru', which is disguised as a service manual. Another heuristic flagged the PDF as a link farm, with many external PDF links, suggesting an attempt to manipulate search engine results or distribute further malicious content. The presence of these link farms and the malicious redirector indicates a social engineering attack aimed at driving traffic to potentially harmful websites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=yaesu%20ft%20857%20service%20manual
    • http://files.ashleighcaudill.com/uploads/1/3/1/4/131407492/5baac3530c42.pdf
    • http://files.evoshieldcanesscott.com/uploads/1/3/0/7/130740255/5920872.pdf
    • http://files.highlevelstore.com/uploads/1/3/1/4/131406086/8216058.pdf
    • http://files.orffervandermerwe.com/uploads/1/3/0/7/130775434/1034322.pdf
    • http://moginituz.bmocwins.com/uploads/1/3/1/4/131437363/lezorironija.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zexula.pdf
    • https://cdn.shopify.com/s/files/1/0428/7977/8979/files/kisufewoberixifiva.pdf
    • https://cdn.shopify.com/s/files/1/0431/8704/4515/files/juviwozetexuna.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/62092070186.pdf
    • https://cdn.shopify.com/s/files/1/0433/2562/0374/files/36108854908.pdf
    • https://cdn.shopify.com/s/files/1/0434/3503/2737/files/76161979091.pdf
    • https://cdn.shopify.com/s/files/1/0436/2623/4009/files/zexejagisutiluzel.pdf
    • https://cdn.shopify.com/s/files/1/0440/7197/7110/files/wii_u_mii_qr_code.pdf
    • https://cdn.shopify.com/s/files/1/0434/2795/4840/files/patient_care_technician_study_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006075.bin
00b78a02eea5acca860f9ce965ad33122a7637b01cebad7eafc1469054f26c31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6075 5444 bytes
font_01_sfnt_off000072fb.bin
e7662047a7b094d9f4a3ad52727ee7282407046652df45c743a2334c59d53c19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72FB 15372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.