Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2aa63a0d974b4de…

MALICIOUS

PDF

41.5 KB Created: 2020-08-29 07:24:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f66ef188e659f252f4952381aab5c7d SHA-1: b627822a1fd7459c7f8639d529319ec8c3b41f6b SHA-256: c2aa63a0d974b4dea42b6ebd0ee5ac5711108acf49954bc920af8ed5241c2e9b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' indicates that the link at 'https://ttraff.ru/wix?keyword=adjectives+and+opposites+list' leads to known malicious infrastructure. Additionally, the 'PDF_SEO_LINK_FARM' heuristic suggests the document is designed to host a large number of external links, likely for SEO manipulation or to distribute traffic to various malicious sites. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=adjectives+and+opposites+list
    • https://static.usrfiles.com/ugd/b8c837_321509018dc64367ae7f55a15431404a.pdf
    • https://static.usrfiles.com/ugd/b8c837_b8fce1de2eb24df3b3711f40fff9cc48.pdf
    • https://static.usrfiles.com/ugd/b8c837_8ed5dcf84bea4e1887ed27bc043eac2f.pdf
    • https://static.usrfiles.com/ugd/b8c837_ec2e43c4dbf241008a686e33d2b096df.pdf
    • https://static.usrfiles.com/ugd/b8c837_61fcf48439874987a155b34eb34b9645.pdf
    • https://static.usrfiles.com/ugd/b8c837_78332af507ad48bea4df53ee23f6d7e8.pdf
    • https://static.usrfiles.com/ugd/b8c837_d4fed21158834cdfa3540cd63c02d22a.pdf
    • https://static.usrfiles.com/ugd/b8c837_7101b0d36d224c09a1dfc957bd7963af.pdf
    • https://static.usrfiles.com/ugd/b8c837_05993c81144f4aa2b98467f1fba49b0c.pdf
    • https://static.usrfiles.com/ugd/b8c837_36a524958fbe47f180f7d8ab687a4353.pdf
    • https://static.usrfiles.com/ugd/b8c837_b1013032ceb64be4bed88212d48d2b18.pdf
    • https://static.usrfiles.com/ugd/b8c837_8cc65435eefe4faeafc675260b5c723a.pdf
    • https://static.usrfiles.com/ugd/b8c837_a25d4d88544144a5b2c5a3a9f3ff7bc3.pdf
    • https://static.usrfiles.com/ugd/b8c837_14dec97735fa48d18d97a2085a82bd09.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000058a2.bin
04af1111e646efe5d5214987e5a15f946fddf86aa5a238ec90606a0f24797019		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58A2 4884 bytes
font_01_sfnt_off0000694e.bin
c04cdb5bcfc460b4478f98f151a3872c37c883c6f8b2e0a6669ad3eaa1b349bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x694E 9920 bytes
font_02_sfnt_off00008b41.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B41 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.