Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6c025e6dedc82c6…

MALICIOUS

PDF

40.7 KB Created: 2020-08-30 22:29:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8c5c37401a2f58679007ba862bf44423 SHA-1: 31d28b70a073943ca97629d8e30deec4d6946644 SHA-256: d6c025e6dedc82c64ecfd5206d517e3ccbc0357dd9940aa39ccf03904cb00daf
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, with one pointing to a known malicious redirector. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document is designed to trick the user into believing they need a password to open an archive, likely to bypass security scanning. The primary malicious URL is https://ttraff.ru/wix?keyword=isunshare+zip+password+genius+regist, which is used to facilitate the download of a password-protected archive.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=isunshare+zip+password+genius+regist
    • https://static.usrfiles.com/ugd/b8c837_a86d91661e1c4b0799e907e1ff31fb36.pdf
    • https://static.usrfiles.com/ugd/f103bb_397150778d0742df80279693d47f1322.pdf
    • https://static.usrfiles.com/ugd/822ecd_31d7a61586964f31bf761d1169c6d163.pdf
    • https://cdn.shopify.com/s/files/1/0432/3773/6603/files/99880038885.pdf
    • https://cdn.shopify.com/s/files/1/0431/0145/4500/files/kufabolakedugexugulazar.pdf
    • https://static.usrfiles.com/ugd/f09a9d_445241891c0546f2b1cd047524e0a0be.pdf
    • https://static.usrfiles.com/ugd/22739b_bebf150f8a144b2dac6281e0748bf6e4.pdf
    • https://static.usrfiles.com/ugd/c8a981_4a21cc074a934a4ca5ce42dcd96d7c58.pdf
    • https://static.usrfiles.com/ugd/b8c837_17db77abc1ae44e0948b522787e92986.pdf
    • https://cdn.shopify.com/s/files/1/0440/1987/5998/files/business_development_manager_jd.pdf
    • https://cdn.shopify.com/s/files/1/0431/4556/0219/files/certified_letter_from_former_employer.pdf
    • https://cdn.shopify.com/s/files/1/0434/4479/7605/files/apa_format_newspaper_article_in_text_citation.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060a3.bin
e846849d429a11bd7bbfc027034cf87b6a3af37d72a0d8d01b140a343130ac62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60A3 5268 bytes
font_01_sfnt_off00007296.bin
bb9789873e53b6b16df8e60f23a180e4120085cd8b3b8b4f68a68f9f57d4321b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7296 10412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.