Malicious PDF — malware analysis report

Static analysis result for SHA-256 c64ab8e1becf3ecc…

MALICIOUS

PDF

86.1 KB Created: 2020-09-15 03:16:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ce9b8c5332d79594b901825d2680d3f SHA-1: 408261cab70f943c51ea0fea7546e23bdbbd2180 SHA-256: c64ab8e1becf3ecc4996da9df87425afbb76b531e8fe2af1ca0fd45837931bc9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.ru, which is disguised as a search result for a video game. This indicates a social engineering attempt to lure the user to a malicious site. The PDF also contains a large number of external links, suggesting it is part of a link farm designed to improve search engine rankings for malicious content. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=need%20for%20speed%202%20player%20split%20screen%20ps4
    • https://static.usrfiles.com/ugd/b16523_472964ce673546da99f168fbe1fcc387.pdf
    • https://static.usrfiles.com/ugd/9b33c5_74c7b375f0d44377b97609901064c89d.pdf
    • https://static.usrfiles.com/ugd/cdb50c_d2740b8adf954fd98e79df7a8811bbe8.pdf
    • https://static.usrfiles.com/ugd/f17c08_6e51da2be1aa410cab362967feb14987.pdf
    • https://static.usrfiles.com/ugd/9a242c_2ac4580d7e164d8683663d219aa5e56d.pdf
    • https://static.usrfiles.com/ugd/83d902_b9980ef031f54298956b4fb050af332b.pdf
    • https://static.usrfiles.com/ugd/069df5_849c3a1e86ef413eaf5dc269d4749f46.pdf
    • https://static.usrfiles.com/ugd/4479ed_5b7adadac5f341e1a5a4ebd37dcc2e25.pdf
    • https://static.usrfiles.com/ugd/3b47cb_0f4e5a59eb20451fa0a3a0c881a76a63.pdf
    • https://static.usrfiles.com/ugd/296484_97a76d9b40b449c6874a22354951d151.pdf
    • https://static.usrfiles.com/ugd/08338c_0bd917405c3f48c18159d369a6931e9a.pdf
    • https://static.usrfiles.com/ugd/b8c837_78cd4f74243e408f9c66f44989c6029f.pdf
    • https://static.usrfiles.com/ugd/db93e9_3ea13698bc14403d8c75a833e90cb642.pdf
    • https://static.usrfiles.com/ugd/a6e5e9_acccb6a0e6314840a13c36960a9153ae.pdf
    • https://static.usrfiles.com/ugd/cac9e4_bf139b01461a4a72a2c753f444ae8b19.pdf
    • https://static.usrfiles.com/ugd/8acad3_4134fd228e18474392d1509e912fa51e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001085d.bin
f48ffec16bb3e0b1346653c52062961a406de8189abc88eccf462760d661c1e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1085D 5440 bytes
font_01_sfnt_off00011b0c.bin
4ec1c7753f41fd3d4e20adba7c3f4fbf72d54b89a4d8a2bc298dfafce86e9d48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B0C 15320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.