Malicious PDF — malware analysis report

Static analysis result for SHA-256 c861a7b415cc75c2…

MALICIOUS

PDF

38.4 KB Created: 2020-08-31 07:04:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 406dc67431578ed59fe31c27bfcc206d SHA-1: d9ceb9507c0d23ac5d5bf0d8d6befd293d89d719 SHA-256: c861a7b415cc75c2b3d404b9ad9d7b46fe4290f0f8711e3e37adb20522762333
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with the primary heuristic identifying a link to a known malicious redirector. The document body, though heavily obfuscated, also contains the URL https://ttraff.ru/wix?keyword=adonit+pixel+vs+apple+pencil, which is flagged as malicious. The presence of a link farm suggests an attempt to obscure the final malicious destination or to distribute malware through a series of redirects.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=adonit+pixel+vs+apple+pencil
    • https://static.usrfiles.com/ugd/97aff7_07a02e1d1a6e4cd1b9e52e0245a259ca.pdf
    • https://static.usrfiles.com/ugd/30e015_0f47898b36aa42cd8cb7f0e6c1e1359d.pdf
    • https://static.usrfiles.com/ugd/b8c837_861183074ec84b019bfb727e8f6b6c40.pdf
    • https://static.usrfiles.com/ugd/ae15ca_1b6f4bdf11ff4552903708c95a10cbd7.pdf
    • https://static.usrfiles.com/ugd/5e8de6_64dc1804d5cf45399b0a2fcecd5d8201.pdf
    • https://static.usrfiles.com/ugd/b8c837_029771cc94794afeb1f2d724146955ac.pdf
    • https://static.usrfiles.com/ugd/b8c837_37c859cad9194e17ba0a72548043c868.pdf
    • https://static.usrfiles.com/ugd/9cb927_73a81861d3424a6d8361a6d50bf91da9.pdf
    • https://static.usrfiles.com/ugd/3615fb_be3c9f95587944ea8a164a3654e34018.pdf
    • https://static.usrfiles.com/ugd/b8c837_000bc242e09547fcb24826cfc25dd2c2.pdf
    • https://static.usrfiles.com/ugd/e5a943_ea49f634a8aa43e7803d954f5f99631b.pdf
    • https://static.usrfiles.com/ugd/7e0eb0_54557d9c121645759b8df826538e157c.pdf
    • https://static.usrfiles.com/ugd/b8c837_873c5bcb872f453aa82775c0e5a284a8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005abb.bin
c4d9f9bc6e2cac9914d6448333958d4ff149169c5da799b8b48539d988771a87		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5ABB 5088 bytes
font_01_sfnt_off00006c20.bin
87eceb414a7ca96e9fb15ac1f2df90939a47942723725381538a9b55442c6167		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C20 9548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.