Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1e893b9820a4a4d…

MALICIOUS

PDF

62.7 KB Created: 2020-08-29 21:47:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45b2afa60777ddcaaf70a982b95e014f SHA-1: 2861f2abfe69f93c4acbd33c96db05e6ff8fcb4f SHA-256: a1e893b9820a4a4d24820d333e412235a95ed3b18dc092fac3907e319caef991
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating it links to known malicious redirector infrastructure, specifically 'https://ttraff.ru/wix?keyword=free+hookup+sites'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with 'https://static.usrfiles.com/ugd/b52961_1fa120d09020465ca19dba7122f04b3a.pdf' being the first identified. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the lure. The primary attack pattern involves redirecting users to potentially harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=free+hookup+sites
    • https://static.usrfiles.com/ugd/b52961_1fa120d09020465ca19dba7122f04b3a.pdf
    • https://static.usrfiles.com/ugd/b8c837_0d86661d72384d4a871cc108e663307e.pdf
    • https://static.usrfiles.com/ugd/de65f7_d1db82072fef4f8bad9797ed95a6296d.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a9d218db1734f8c8b821eedfad2348a.pdf
    • https://cdn.shopify.com/s/files/1/0431/2553/8965/files/mr_heater_troubleshooting.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/muzaloxebomasu.pdf
    • https://cdn.shopify.com/s/files/1/0430/8900/2653/files/73021635150.pdf
    • https://cdn.shopify.com/s/files/1/0437/6169/6925/files/vubojububuzesiwukuli.pdf
    • https://cdn.shopify.com/s/files/1/0437/4714/7925/files/data_cheat_coin_dls_2019.pdf
    • https://cdn.shopify.com/s/files/1/0440/3026/3446/files/pelicula_el_maquinista_online_espaC3B1ol_latino.pdf
    • https://static.usrfiles.com/ugd/b8c837_eb2f0606e16f4f47803da1a71a0a1434.pdf
    • https://static.usrfiles.com/ugd/b8c837_73c3feb5774a4625a0513c9c1c281488.pdf
    • https://static.usrfiles.com/ugd/db93e9_2a0ee51995ec45beba26c30b192961cc.pdf
    • https://static.usrfiles.com/ugd/b8c837_a3fa0ae77c684d6c86a0dba9d025c331.pdf
    • https://static.usrfiles.com/ugd/b8c837_728cd89036d54d069341e7f9b088b0f1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b9e6.bin
7183fee30c3082e57273db2cad0e87795304a864d4a00178dba2bbaa0d88d5c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9E6 4684 bytes
font_01_sfnt_off0000c9cf.bin
0fa01521852eb574f67c9ee6fd69379ce30fce301f9cf8586a096d68cf9133dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9CF 10640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.