Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad84a9c33c39dc11…

MALICIOUS

PDF

48.4 KB Created: 2020-08-08 16:30:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63bd857ed40e8b57e4d4dd625ec3e04a SHA-1: 39c41aa81a4cfbde89e0d1bd0e2a0e0dc6051e84 SHA-256: ad84a9c33c39dc11b57e86233ac849b8fa18f6180193f54bdd2f62b5d3ed5c31
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Addends T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to ttraff.ru. The document body also contains this URL, suggesting it's the primary lure. Additionally, a PDF link farm heuristic indicates the document is designed to host numerous links, likely for SEO poisoning or to distribute malicious content. The embedded URLs, including the one to ttraff.ru, are the main indicators of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=calcul%20d
    • http://files.rochelleanne.com/uploads/1/3/1/8/131856012/797b8b2114.pdf
    • http://newatep.hafadventures.com/uploads/1/3/1/6/131636719/fenav-gokixajeve-zawubeko-dufelofedem.pdf
    • http://files.thejuanonjuanpodcast.com/uploads/1/3/1/8/131856771/00d86ef1b.pdf
    • https://cdn.shopify.com/s/files/1/0428/5428/5479/files/gajogosogaku.pdf
    • https://cdn.shopify.com/s/files/1/0431/4556/0220/files/asciidoctor_generate_maven.pdf
    • https://cdn.shopify.com/s/files/1/0437/4154/4602/files/teviwagepilo.pdf
    • https://cdn.shopify.com/s/files/1/0429/8348/9687/files/doruzudejazelon.pdf
    • https://cdn.shopify.com/s/files/1/0432/5723/3576/files/vaditoforuxexatunemi.pdf
    • https://cdn.shopify.com/s/files/1/0434/6406/5174/files/bohemian_rhapsody_piano_sheet_music_original_easy.pdf
    • https://cdn.shopify.com/s/files/1/0437/7840/8609/files/alcoro_traduzido_em_portugues.pdf
    • https://cdn.shopify.com/s/files/1/0439/3749/7243/files/12766821821.pdf
    • https://cdn.shopify.com/s/files/1/0430/5027/0869/files/90389226568.pdf
    • https://cdn.shopify.com/s/files/1/0431/9726/8128/files/dibabitewojatakot.pdf
    • https://cdn.shopify.com/s/files/1/0431/7085/7122/files/23483920261.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005af6.bin
dce700ed19d568213e508dc94f733e8a3511ccd936802f0d59a9fcefccbf95ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AF6 5288 bytes
font_01_sfnt_off00006d05.bin
d08e790e9d8913b66d003ff1d43ff83520ad666aedc53024145a1211b5e1f053		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D05 16416 bytes
font_02_sfnt_off00009de4.bin
354dce64f07f3d7acdf6a04edf763950ffbfec4edcbb4bfe17b65a83544077bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DE4 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.