Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae840727ab66c26c…

MALICIOUS

PDF

39.0 KB Created: 2020-08-30 08:26:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6449e35fa893b73ab6e304801c97c0c4 SHA-1: 13792a488a83e22f25ef2f91694054a1381b1654 SHA-256: ae840727ab66c26c95fc793e7668da59f3dbd4efcae10ffa85875f9be28bcc90
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.ru, which is designed to lead users to further malicious content. The document also exhibits characteristics of a callback phishing lure, suggesting an attempt to trick users into calling a fraudulent number. The presence of a link farm further indicates an effort to distribute malicious content or phish for information.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=blaupunkt+dab+radio+all+in+one
    • https://static.usrfiles.com/ugd/2e4eb4_630c54849887437cb7a42ce6073867b7.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5eb5ae4d6544599a977c6d99d24de4d.pdf
    • https://static.usrfiles.com/ugd/b8c837_62e8dabb33c44878b688fbbec30ba2a1.pdf
    • https://cdn.shopify.com/s/files/1/0429/6173/1743/files/76940636404.pdf
    • https://cdn.shopify.com/s/files/1/0438/2598/7734/files/4_caliphs_of_islam.pdf
    • https://cdn.shopify.com/s/files/1/0430/8680/7201/files/40903722510.pdf
    • https://cdn.shopify.com/s/files/1/0431/6764/5857/files/34009567881.pdf
    • https://static.usrfiles.com/ugd/b8c837_5ac3ee028dd74febb13802a87a7de7f6.pdf
    • https://static.usrfiles.com/ugd/b8c837_c9b8e2d6641343489e16d1e6645c7033.pdf
    • https://static.usrfiles.com/ugd/b8c837_8e9cc5ab94c448da854a1bd4eeb2081d.pdf
    • https://static.usrfiles.com/ugd/0047a4_118e73542c1543319eb94c7b773b3394.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b82.bin
af08e6e5762610e2e3d25150d355cd93a8f806b51d8abbd0c6de8b614fe9984b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B82 5028 bytes
font_01_sfnt_off00006c9f.bin
11f1b22582e0ea5030740a26f1d9e4b756aa09c847594a2b917d60f6a1fb70d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C9F 10256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.