Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa885890ccc63266…

MALICIOUS

PDF

38.0 KB Created: 2020-08-31 06:45:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 44800aac7c5bd3433a45f546c7dbfb61 SHA-1: 7185ea7f4dea88ede32ca6e04b88bb08bf9107d3 SHA-256: aa885890ccc63266f76ac2689b67cc96a46299ca826749a8a55a8dab9f4b7a65
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with a critical heuristic firing indicating a PDF link farm. One of the primary links, 'https://ttraff.ru/wix?keyword=archeage+fov+mod', is flagged as malicious, suggesting a potential redirection to harmful content. The document body, though heavily obfuscated, also contains this malicious URL and numerous other links to PDF files hosted on Shopify and static.usrfiles.com, indicating a likely SEO manipulation or content distribution scheme.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=archeage+fov+mod
    • https://cdn.shopify.com/s/files/1/0431/6001/0912/files/82057277039.pdf
    • https://cdn.shopify.com/s/files/1/0431/8894/5045/files/22333326620.pdf
    • https://cdn.shopify.com/s/files/1/0430/3169/1421/files/fibubupeto.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f54dcd7a6aa41818db7af5c9f301ed3.pdf
    • https://static.usrfiles.com/ugd/ce14f3_8a066796885242d890d9c0460c1f5e77.pdf
    • https://static.usrfiles.com/ugd/5ecadc_af63c63296b0485eae938d19c039a94b.pdf
    • https://static.usrfiles.com/ugd/a2d007_edb9774ebc084e4f8a33765264e8b80a.pdf
    • https://static.usrfiles.com/ugd/26481d_a1212ae59eac4a4dbad988abf571d2cc.pdf
    • https://static.usrfiles.com/ugd/b8c837_b0045a5acf644ecd8e81c7dd61163492.pdf
    • https://static.usrfiles.com/ugd/b8c837_eeb3b2e7382c4d3a8e6af164e73f8587.pdf
    • https://static.usrfiles.com/ugd/b8c837_80aecbb1ed024a25a680bbeac7b79734.pdf
    • https://cdn.shopify.com/s/files/1/0437/4999/8743/files/29454457234.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lunugituvalu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000536d.bin
c5e0bc4e0a53fa26fb92328c904516926342c3ebcfe344403d6b2bd69fa4b6b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x536D 5272 bytes
font_01_sfnt_off00006541.bin
afd1236413fd02b1878925dd176d5aee62c5a634ffbe85adc560e38b127b40b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6541 11536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.