Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf36ea52f11b5abc…

MALICIOUS

PDF

62.5 KB Created: 2020-08-31 19:11:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ba21075a23c17f2fcef59e241077b91 SHA-1: 665687bd159e58f6608065ac142e58f8129214d6 SHA-256: bf36ea52f11b5abc35917a090b56352b9fcaac2875e4b36283881bef40d482e8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.ru/wix?keyword=user+manual+template+illustrator'. Additionally, it features a mass external PDF link farm, suggesting a coordinated effort to distribute content or redirect users. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the intent to redirect the user.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=user+manual+template+illustrator
    • https://static.usrfiles.com/ugd/b8c837_5f878df0ea8b4a448d5abcb9aa01e1cc.pdf
    • https://static.usrfiles.com/ugd/b8c837_ddbbd5f0e68a4e4d8a973a8d228d58dd.pdf
    • https://static.usrfiles.com/ugd/73cb9e_b014d382cfe746dc8bd94cc93235b5e6.pdf
    • https://static.usrfiles.com/ugd/ae059d_9d7b9625d42343e5918b1b912e489425.pdf
    • https://static.usrfiles.com/ugd/83b1b3_7d27d8904cf1482ebeb202e84980d192.pdf
    • https://cdn.shopify.com/s/files/1/0433/9499/0243/files/zekonomotipa.pdf
    • https://cdn.shopify.com/s/files/1/0436/5513/5390/files/windows_10_command_prompt_commands_list.pdf
    • https://cdn.shopify.com/s/files/1/0436/0349/3022/files/36698700158.pdf
    • https://cdn.shopify.com/s/files/1/0440/3937/2965/files/allen_bradley_powerflex_400_programming_manual.pdf
    • https://static.usrfiles.com/ugd/1cc7e8_92b214dc9a1c4274877b3f09bccc3ff5.pdf
    • https://static.usrfiles.com/ugd/4dd980_b964a91303134fba88ab91d01122206e.pdf
    • https://static.usrfiles.com/ugd/ce14f3_a7d67340e45848448b973db4dea5e09b.pdf
    • https://static.usrfiles.com/ugd/a8ca0f_f01289497f8647548205629e2276c26e.pdf
    • https://cdn.shopify.com/s/files/1/0433/0379/6894/files/university_of_alberta_scholarship_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0431/7839/3749/files/romagobogujaserobugi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b8ce.bin
e1a130b400f318e8c2db50c909e9a1d6b81ad349d9e3ab147e765277db9937c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB8CE 4956 bytes
font_01_sfnt_off0000c98f.bin
528283c145e5986e8d43f09c59f3ae6d80755effc1ecd02c81e0342a15c4940f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC98F 10232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.