Malicious PDF — malware analysis report

Static analysis result for SHA-256 c02fcf284f7d2a79…

MALICIOUS

PDF

116.6 KB Created: 2020-09-01 01:30:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 456f26a156e7b20f7f643e4856b5aa81 SHA-1: 6425ffd6b29f658f2e0e6b0302a1359910040d31 SHA-256: c02fcf284f7d2a797e4efd0095e3135477626ba036e028bb8bbbd991a9285b16
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a CAPTCHA or human verification prompt, intended to trick the user into clicking it. The document body contains obfuscated text and the URL 'https://ttraff.ru/wix?keyword=animal+jam+password+cracker+no' which is flagged as a malicious redirector. The presence of multiple links to static.usrfiles.com suggests a link farm for SEO poisoning.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=animal+jam+password+cracker+no
    • https://static.usrfiles.com/ugd/b8c837_18454bd4b1a940c69a2745f16d8d8ce5.pdf
    • https://static.usrfiles.com/ugd/b7306e_ca4e87af0f43471a9736fddb6b99b1bd.pdf
    • https://static.usrfiles.com/ugd/b8c837_c8720849d8cc43cc9628223bf32455db.pdf
    • https://static.usrfiles.com/ugd/a18aa6_a50f90fe039e41e0bc95271f0e9b6b63.pdf
    • https://static.usrfiles.com/ugd/269bb8_41dc4b2d1a9541fbbc2746494f5836f1.pdf
    • https://static.usrfiles.com/ugd/7603ae_a45a2cd6f11c44d789e84061b9584442.pdf
    • https://static.usrfiles.com/ugd/4c76bf_8c95579658494b968cbba337bbc6706f.pdf
    • https://static.usrfiles.com/ugd/234f58_353e3dc8a4bf4f28b6b04a138e22d9d8.pdf
    • https://static.usrfiles.com/ugd/b8c837_e3d58de78b214d0ebed68d94ccfb6fda.pdf
    • https://static.usrfiles.com/ugd/ce14f3_4f3b63edc1d849e8a8a044b3a8145906.pdf
    • https://static.usrfiles.com/ugd/b8c837_a49289018dd84a7f88afcfbded0bdc9e.pdf
    • https://static.usrfiles.com/ugd/ae15ca_900b3232c33a4086b2178028e91ef273.pdf
    • https://static.usrfiles.com/ugd/ae059d_37863d7a856742a4bec50d432e38d224.pdf
    • https://static.usrfiles.com/ugd/f0e51d_09db03f29f1946d0bfbfe9003d39caa7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001320e.bin
01d7bb7254d0aa3cfbf34477abfa38b87107c373e295d40ccf36729c92b56e1b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1320E 9756 bytes
font_01_sfnt_off00015272.bin
b919dff2e0ad229355c45f09a1ba780b40ea4f83cf5a4c9b4d667c96b0e26208		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15272 5148 bytes
font_02_sfnt_off000163cb.bin
4d7ef1e04c87055c7d8c84df75c756f87e9e48bb395ca0de34bf41886370be67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x163CB 5408 bytes
font_03_sfnt_off0001779a.bin
40dd18c6c70b08a285988c91feee8abc08137eb32c644b864696b236355732b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1779A 11676 bytes
font_04_sfnt_off00019eff.bin
77a8d008b43b3e907d909b4376ff70ce1cfb197fea269c1fd16ae5e0d0a67040		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19EFF 16744 bytes
font_05_sfnt_off0001b5c8.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B5C8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.