Malicious PDF — malware analysis report

Static analysis result for SHA-256 c630c9a5db09efa6…

MALICIOUS

PDF

46.1 KB Created: 2020-09-03 15:06:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 50a2ab9d97f9dd0fc7ea3c479c12b77c SHA-1: 9d633356135a70ffc8bb3fc317eed501f84fab51 SHA-256: c630c9a5db09efa612728b937035d0956ee51320e259e0a951102f98e1359718
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/wix?keyword=backward+compatibility+java+android', which is flagged as malicious. The presence of numerous external links suggests a link farm or redirection tactic to obscure the final malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=backward+compatibility+java+android
    • https://static.usrfiles.com/ugd/30ea26_a618a32b7e4640e0bee3b7c285ea0a78.pdf
    • https://static.usrfiles.com/ugd/4826f5_373ee87aaa8d48aba14b4c1f3c5ee07b.pdf
    • https://static.usrfiles.com/ugd/b0cd75_0abb52f2d8b54aacaea9c4f96c0fdd47.pdf
    • https://static.usrfiles.com/ugd/a86d68_532b83c63a0d472e861b8573d193d1f8.pdf
    • https://cdn.shopify.com/s/files/1/0431/3038/8642/files/black_s_law_dictionary_tenth_edition.pdf
    • https://cdn.shopify.com/s/files/1/0434/8595/4198/files/27116915254.pdf
    • https://cdn.shopify.com/s/files/1/0433/4904/9499/files/how_to_install_skyrim_special_edition_mods.pdf
    • https://cdn.shopify.com/s/files/1/0438/0386/9346/files/96622516554.pdf
    • https://cdn.shopify.com/s/files/1/0439/3048/4904/files/baaghi_2_picture_full_movie_hd.pdf
    • https://cdn.shopify.com/s/files/1/0427/9818/6663/files/togaluzemobadutebow.pdf
    • https://cdn.shopify.com/s/files/1/0427/7298/8071/files/83208572022.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007484.bin
d9d6704a1a94df427d27a7e71fa7660434d87716b1dc624577623609b1d3a96a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7484 5624 bytes
font_01_sfnt_off000087a8.bin
848c0479d1dd3128ea6ee48a2c766d2331351c5c8cf90f535ac0df5439b9835d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87A8 10464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.