Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8bd5cf3a79e5c30…

MALICIOUS

PDF

35.4 KB Created: 2020-09-02 00:51:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ec2e0a6784b9366f96d2fdf79ef1178 SHA-1: dca1c4a45cb719da96e0ea0d77b54741a48c8e26 SHA-256: a8bd5cf3a79e5c302b381575dd680c1975e78ff798503b6f40460d20c2d314a2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic identifying it as a PDF link farm. One of the primary links, 'https://ttraff.ru/wix?keyword=acer+c120+projector+manual', is flagged as malicious. The document body, though heavily obfuscated, contains text related to 'Acer c120 projector manual' and the URL, suggesting a lure to trick users into clicking the malicious link. The presence of many Shopify links, including one to 'xadad.pdf', indicates a coordinated effort to distribute content, likely malicious.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=acer+c120+projector+manual
    • https://cdn.shopify.com/s/files/1/0433/0147/0366/files/xadad.pdf
    • https://cdn.shopify.com/s/files/1/0431/2501/4684/files/85122048858.pdf
    • https://cdn.shopify.com/s/files/1/0429/7277/4556/files/breitling_aerospace_titanium_user_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/12086745869.pdf
    • https://cdn.shopify.com/s/files/1/0428/2744/8476/files/conversion_de_grados_a_radianes_y_viceversa.pdf
    • https://cdn.shopify.com/s/files/1/0436/0352/5794/files/31611775144.pdf
    • https://cdn.shopify.com/s/files/1/0439/1940/9320/files/trigger_ancient_egypt_a_social_history.pdf
    • https://cdn.shopify.com/s/files/1/0428/1355/4855/files/cancionero_para_guitarra_rock_nacional.pdf
    • https://cdn.shopify.com/s/files/1/0437/6464/6049/files/bozireliter.pdf
    • https://static.usrfiles.com/ugd/dc8a8e_88120700111d4a84830feaf5fd04417f.pdf
    • https://static.usrfiles.com/ugd/d5cf39_29c7c4c22c8a4a2486cc45c7aa5103de.pdf
    • https://static.usrfiles.com/ugd/a2e20a_d702f2aa240d4caca2ee1f5c0f62c6e1.pdf
    • https://static.usrfiles.com/ugd/3de8a6_bec48686e48942d28bda1d3eae9f0288.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ccc.bin
5f20b79edae842c1a76e2ae22d6ac127221dc0695b508caa03805e45bd58db7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CCC 5292 bytes
font_01_sfnt_off00005ebf.bin
e38f6221a0699834001dddd7436f5cea907355ab4217ec7cbb43d74256f6c645		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EBF 10092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.