Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9a049a237ea3aae…

MALICIOUS

PDF

34.3 KB Created: 2020-08-31 03:12:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 626efbd8d4cb352fa894a8e18c0774ad SHA-1: 34dd2d8c4fc05cfbe09a27bf1c9c4a1b2666b30b SHA-256: c9a049a237ea3aaea4065733205766362b6be529ce8c88e1cb40dc75e4795646
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.ru/wix?keyword=instala%25C3%25A7%25C3%25B5es+hidr%25C3%25A1ulicas+e+sanit%25C3%25A1rias+h%25C3%25A9lio+creder+pdf'. This indicates a phishing attempt where the document's content is designed to trick the user into clicking the malicious link. The document body, though heavily corrupted, contains fragments of the lure text and the malicious URL, reinforcing the phishing pretext. The presence of a large number of external PDF links, many pointing to static.usrfiles.com, suggests a link farm or SEO poisoning tactic to improve search engine visibility for the malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=instala%25C3%25A7%25C3%25B5es+hidr%25C3%25A1ulicas+e+sanit%25C3%25A1rias+h%25C3%25A9lio+creder+pdf
    • https://static.usrfiles.com/ugd/921909_380db4bdabe84629a136da4d4b7f2cfb.pdf
    • https://static.usrfiles.com/ugd/badafb_9afdfd939f054bafad999fc27ca11717.pdf
    • https://static.usrfiles.com/ugd/1f2646_495b836d28e945199f2649810d132537.pdf
    • https://static.usrfiles.com/ugd/bb13a2_b2656a712adc43ab8fb7f0b317a8b34b.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f54dcd7a6aa41818db7af5c9f301ed3.pdf
    • https://static.usrfiles.com/ugd/74e9cf_2e9ee5fb3b8543f4bf9944020d9ea008.pdf
    • https://static.usrfiles.com/ugd/b42fd6_3a1f66805dd04afea140b8cef2786935.pdf
    • https://static.usrfiles.com/ugd/f46427_bc863aff415c4ef2950c18d805f68318.pdf
    • https://static.usrfiles.com/ugd/b8c837_714e8b6834044b54b35d2edd40928b03.pdf
    • https://static.usrfiles.com/ugd/b8c837_3260366124be4704b453ddd5b010acfb.pdf
    • https://static.usrfiles.com/ugd/54fa57_5f342e1cc9e14dec82780001e3bc57e5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043c9.bin
9c964a9bc691a0566b59f601676d451f24dfbe2f51fae5d2018c3b96e9b5151e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43C9 5956 bytes
font_01_sfnt_off0000568e.bin
75adee735f7dc8abf908fdfa9526db96229c766e946a76eb4e08cbdc1f58105b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x568E 11840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.