Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6b328bb77c0d616…

MALICIOUS

PDF

44.4 KB Created: 2020-08-27 23:55:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f02255bda8be82e4bbb46c00801b18e SHA-1: b9daff93b1905a0fc8c7ed887684fcd0e3bfc4ad SHA-256: a6b328bb77c0d616465b3ab32f0e847a4137de42573554f2ed4323dc19f87590
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a malicious redirector link pointing to ttraff.ru, which is part of a link farm designed to obscure the final destination. The presence of a visible LOLBin command execution instruction suggests the document is intended to trigger further malicious activity, likely by downloading and executing a second-stage payload. The document body itself is heavily obfuscated but contains the malicious URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=the+paladin%2527+s+handbook+voltron+pdf
    • http://files.gozoboutiquehotelaccommodation.com/uploads/1/3/1/4/131437037/3e8569fa46c12a.pdf
    • https://cdn.shopify.com/s/files/1/0434/2949/4936/files/pan_card_nsdl_form.pdf
    • https://cdn.shopify.com/s/files/1/0432/8062/9913/files/bootable_pendrive_cmd_commands.pdf
    • https://cdn.shopify.com/s/files/1/0440/7456/5784/files/xilagovem.pdf
    • https://cdn.shopify.com/s/files/1/0459/1832/2839/files/mobile_home_inspection_report_sample.pdf
    • https://cdn.shopify.com/s/files/1/0431/3455/0177/files/52377351693.pdf
    • https://cdn.shopify.com/s/files/1/0437/9508/7522/files/berliner_platz_a2_neu.pdf
    • https://cdn.shopify.com/s/files/1/0438/1681/2706/files/freeman_biology_5th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0431/0378/1015/files/raja_ki_aayegi_baraat_movie_song.pdf
    • https://cdn.shopify.com/s/files/1/0438/3218/0893/files/90544320978.pdf
    • https://cdn.shopify.com/s/files/1/0438/4430/5061/files/sapawonira.pdf
    • https://cdn.shopify.com/s/files/1/0431/7921/2960/files/92417805107.pdf
    • https://cdn.shopify.com/s/files/1/0434/4299/5352/files/64000939756.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006139.bin
1aed0a15ffc77eed7626183c60253a54d227983b6a7c17bfbfcc56b7ecacba8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6139 5376 bytes
font_01_sfnt_off0000737e.bin
948f13f2e5cb3f455df670eb1bba052f42326a6a52386744d6fa0a0a186c9c6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x737E 15648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.