Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8cf13c618a84757…

MALICIOUS

PDF

39.9 KB Created: 2020-08-31 12:54:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45c8f6b6a0a937c54a7a062016a22bda SHA-1: 45bc72ce024e4dc8c42a28957dad8f59be501a91 SHA-256: c8cf13c618a84757f88490b2ee567197be4a2e7cd3a2d85cf1523a699bd0f1d4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its inclusion of a link farm, which is a common technique for distributing malicious content. The primary malicious URL, https://ttraff.ru/wix?keyword=un+circuito+de+robot+de+escalada+de, is likely used to redirect users to a phishing or malware-hosting site. The document body, though heavily obfuscated, also contains this URL and references to other PDFs hosted on static.usrfiles.com, suggesting a coordinated effort to lure victims.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=un+circuito+de+robot+de+escalada+de
    • https://static.usrfiles.com/ugd/db1da1_9a8155b07b434fdeb9244777790b9a35.pdf
    • https://static.usrfiles.com/ugd/b8c837_2ee03e23c7834b4badc25baf5bd52fd3.pdf
    • https://static.usrfiles.com/ugd/ca32a8_0188949e9e5746588ca413cf37ba3319.pdf
    • https://static.usrfiles.com/ugd/576447_801bffe4f7c447689244ac5987324bd9.pdf
    • https://static.usrfiles.com/ugd/b8c837_8b1a1b3a70334f8bac8ed6da4f39914f.pdf
    • https://static.usrfiles.com/ugd/90c678_d58e1e38417545edbd55d264d4fd76b4.pdf
    • https://static.usrfiles.com/ugd/a382ee_d62f1d1a134849778fef4d47a5ba597d.pdf
    • https://static.usrfiles.com/ugd/8b97dd_a9a79d645f6849189a64eef76489bc97.pdf
    • https://static.usrfiles.com/ugd/136d07_e55f7002c2d04a1bb4829f7232380261.pdf
    • https://static.usrfiles.com/ugd/79e0dc_d72c0db0b4504fcbb856082058ca5623.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c61.bin
3f36b21754c975607d65722315d5893d741de7ff624c5e3e7e9dcc03d90b5a25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C61 5064 bytes
font_01_sfnt_off00006da3.bin
ee54e57f6e35faebed2b13fe471037160304097d82dac06880e853509e09502f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DA3 11012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.