Malicious PDF — malware analysis report

Static analysis result for SHA-256 ace9057ebe5616f4…

MALICIOUS

PDF

42.6 KB Created: 2020-08-30 22:08:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 803043bf8ef445905008f386b07ef716 SHA-1: 3f85535e9e7f612f6b9eabfd520dd3458f555544 SHA-256: ace9057ebe5616f410b08202f0620a6835d7ce760245a556cf670b8f3d1945fc
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.ru/wix?keyword=noblex+pro+175+u, which is flagged as malicious. The presence of a 'download button' heuristic further supports a lure-based attack. The file is likely part of a link farm designed to drive traffic to malicious sites.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=noblex+pro+175+u
    • https://static.usrfiles.com/ugd/b8c837_36791c1b61324c0e93b04f5527d5f766.pdf
    • https://static.usrfiles.com/ugd/b8c837_b41ed9564edc49e481e31d1d9dac9b30.pdf
    • https://static.usrfiles.com/ugd/e3ed1f_29e222167d364487b92e0bf6b635e69d.pdf
    • https://static.usrfiles.com/ugd/e1c37d_27342e72de6347789100c419d712b9ed.pdf
    • https://static.usrfiles.com/ugd/b8c837_b644774a7460409fb246c2c0605552bb.pdf
    • https://static.usrfiles.com/ugd/73c254_73ec5d8b13f14656bb13302401f98c59.pdf
    • https://static.usrfiles.com/ugd/b8c837_7ee74ab9be734382adc4f1d9a70bd5dd.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ed49e42b37b4c1193effd74ed9735f2.pdf
    • https://static.usrfiles.com/ugd/9374a7_185bb88893ac4f80890ab69605f70db8.pdf
    • https://static.usrfiles.com/ugd/93971e_32dc8cc3bb6e4a61840bb7cfca605c91.pdf
    • https://static.usrfiles.com/ugd/b8c837_5cdb6847933b43199d51d19747e5f3ae.pdf
    • https://static.usrfiles.com/ugd/4bdc6d_363c1aa3b0004ceea4c9e108ab1ff0f6.pdf
    • https://static.usrfiles.com/ugd/b8c837_7492fa46f0884664b73071ecbe1ce725.pdf
    • https://static.usrfiles.com/ugd/b8c837_bc4b5000d7e140c89d5fb2220bad0f8b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006136.bin
099a9ec28f518fc3bd664ca9907d1d9ce469c475a7eb9449d5ba333b11b81221		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6136 4860 bytes
font_01_sfnt_off000071e3.bin
447a71226e1e3b9ed436ed286d07e509132f05182cfe19dc91780e847e57c5b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71E3 14248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.