Malicious PDF — malware analysis report

Static analysis result for SHA-256 a495f1ecac81038c…

MALICIOUS

PDF

112.4 KB Created: 2020-08-31 09:09:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c2c4cbd1d6e10abee0dae628e757d41 SHA-1: 358db21773f7e964dc2e931b73234c942649e16b SHA-256: a495f1ecac81038cac6248f8c48193bd4246d931586fa6be0e8f784adfed4a63
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=fluke+80i+110s+manual'. The document body, though heavily obfuscated, contains text that appears to be a lure for a manual, likely intended to trick users into clicking the malicious link. The file also exhibits characteristics of a link farm, with numerous embedded URLs.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=fluke+80i+110s+manual
    • https://cdn.shopify.com/s/files/1/0431/8366/9412/files/doyles_guide_tax_lawyers_perth.pdf
    • https://cdn.shopify.com/s/files/1/0435/1007/1460/files/zirizagidobo.pdf
    • https://cdn.shopify.com/s/files/1/0435/9097/5647/files/android_studio_documentation_comments.pdf
    • https://cdn.shopify.com/s/files/1/0437/2335/8358/files/barska_mini_biometric_safe_manual.pdf
    • https://static.usrfiles.com/ugd/09c3c7_308b4059bfff47a5ae44bdf5feb337ed.pdf
    • https://static.usrfiles.com/ugd/73c254_c8f5207bd9ae46c1ba53727efb8fe2b2.pdf
    • https://static.usrfiles.com/ugd/a01749_d2a48dc87bc34657802527763841f2cf.pdf
    • https://static.usrfiles.com/ugd/0df15e_61070c037bf1448899dc05f50dacce28.pdf
    • https://static.usrfiles.com/ugd/3ab5ed_6c70e911f64a41228d8730999f2e388c.pdf
    • https://static.usrfiles.com/ugd/eed56f_83dff90df54b443696322bd81a79d4ba.pdf
    • https://static.usrfiles.com/ugd/b8c837_3dc56d68ada946eda81287eb846f5dc3.pdf
    • https://static.usrfiles.com/ugd/7dd30d_87d700ff937c4733b3b0d8ed67858057.pdf
    • https://static.usrfiles.com/ugd/07e02c_55474e83ff7d4fcf82f69ff17d11e1e1.pdf
    • https://static.usrfiles.com/ugd/2ca09c_ab69ea7642cf441a9f82313dcd361d21.pdf
    • https://cdn.shopify.com/s/files/1/0440/1148/7397/files/buriximaxo.pdf
    • https://cdn.shopify.com/s/files/1/0431/1135/0439/files/alif_allah_aur_insaan_episode_23.pdf
    • https://cdn.shopify.com/s/files/1/0430/3313/3209/files/15036198215.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016c27.bin
0953f6ddc9ba334a5ee11b53528b5e2d80d1cfb38754f096b7e40210e8b1b62e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16C27 5144 bytes
font_01_sfnt_off00017d98.bin
507e8cb621881765d344c5651380961698a053888ce9e4c65641a0c3ae3b2dfc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17D98 16948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.