Malicious PDF — malware analysis report

Static analysis result for SHA-256 a16388e2ea97f3cb…

MALICIOUS

PDF

41.5 KB Created: 2020-09-01 03:57:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85c2ebd01997b627a0f1826d15349bef SHA-1: 5375080703cf2690caec5e160593d23df423d915 SHA-256: a16388e2ea97f3cb387556b55259a85c07f3aee7b90fbd1b0ce9731cb36c4057
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=drpciv+chestionare+auto'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs. The document body, though partially corrupted, contains text related to "Drpciv chestionare auto" and the tool wkhtmltopdf, suggesting a lure for users seeking automotive testing information. The primary attack pattern involves redirecting users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=drpciv+chestionare+auto
    • https://cdn.shopify.com/s/files/1/0438/4204/4066/files/mazda_3_android_auto_not_working.pdf
    • https://cdn.shopify.com/s/files/1/0433/9620/2652/files/40563062858.pdf
    • https://cdn.shopify.com/s/files/1/0431/7508/4193/files/39527758492.pdf
    • https://cdn.shopify.com/s/files/1/0439/7904/7070/files/rita_pmp_8th_edition.pdf
    • https://static.usrfiles.com/ugd/8b4172_dc1878d03afe47a089aeabec8e299612.pdf
    • https://static.usrfiles.com/ugd/b8c837_31facdb28ae3470c841cfb5e3d84d451.pdf
    • https://static.usrfiles.com/ugd/e2c250_cb4612cedb8d4e5fa2b949956c8d7b09.pdf
    • https://static.usrfiles.com/ugd/b8c837_dfe1d7760b8645cd8075260c6caec18d.pdf
    • https://static.usrfiles.com/ugd/3ab5ed_bff91dc397664208b6fe0ef3a5fc4004.pdf
    • https://static.usrfiles.com/ugd/b8c837_6245bf216f30484d83cdd35d1fab4265.pdf
    • https://static.usrfiles.com/ugd/f4de5e_c0b338900a054b5c9ccfbcf74009c9f4.pdf
    • https://static.usrfiles.com/ugd/daca0d_d186d68b83a944c38ad69ed64713134f.pdf
    • https://cdn.shopify.com/s/files/1/0429/8519/3621/files/secured_transactions_flow_chart.pdf
    • https://cdn.shopify.com/s/files/1/0433/1061/2644/files/29471266927.pdf
    • https://cdn.shopify.com/s/files/1/0430/7193/0529/files/bancassurance_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006637.bin
09def2a637543a35a0fad2b033ae33dc0d1576746188bd87618e2ea0f829a965		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6637 5048 bytes
font_01_sfnt_off00007766.bin
af058858e61ac050478715ff7f8756de116298a028d0dafba0f0e1afdc60f3a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7766 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.