Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9eb9f9bf4612fcc…

MALICIOUS

PDF

158.7 KB Created: 2020-08-31 08:11:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb7ebb3a4a22956b4ff3f88f5716ca53 SHA-1: 5f3edf41e2b32eee618126835fe252a5a2e1bfb8 SHA-256: d9eb9f9bf4612fcc4b7ef8e4a29d419f1bc17c09a8a76b2cf5b43bf170373f92
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.ru, which is flagged by critical heuristics. The document body, though heavily obfuscated, also contains this URL and text related to 'Terraria items cheaten', suggesting a lure. The presence of a visual download button heuristic further supports the attack pattern of enticing users to click the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=terraria+items+cheaten
    • https://static.usrfiles.com/ugd/12745a_d4916c9b42b8418a83811197f9bcafbe.pdf
    • https://static.usrfiles.com/ugd/e42ee3_f380af83216748d1995bf61d0a411a76.pdf
    • https://static.usrfiles.com/ugd/b8c837_e268caaef2da41fcadac0c154334b4f2.pdf
    • https://static.usrfiles.com/ugd/0cd3a8_066e523f033640649849740d4b6dad21.pdf
    • https://static.usrfiles.com/ugd/0a0016_658de5d855914c54b293a7142fd5f85d.pdf
    • https://cdn.shopify.com/s/files/1/0434/2602/1527/files/98004417858.pdf
    • https://cdn.shopify.com/s/files/1/0433/2378/5370/files/adding_polynomials_worksheets.pdf
    • https://static.usrfiles.com/ugd/23e9be_27109c7001d148fb8f780905a986d254.pdf
    • https://static.usrfiles.com/ugd/f55bec_822d0d0c73cb45bfb6c229634fcfc929.pdf
    • https://static.usrfiles.com/ugd/74e905_ceffbf4317844d7c81253b26f2610fbe.pdf
    • https://static.usrfiles.com/ugd/f3ecbe_a8c22c68863e421f977b46570b188966.pdf
    • https://static.usrfiles.com/ugd/9421c8_9a64b1215c964672a22cc156e727b810.pdf
    • https://static.usrfiles.com/ugd/7f46b5_c51c03e8251e47729c4bd02e361f42c8.pdf
    • https://static.usrfiles.com/ugd/47b1e8_a1584c6cfab54a0d94b1a42c358b34a8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002191e.bin
b7279c22797325788a146432074fb84dc5027d4bc1c155985eed9214eaf1fe2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2191E 5064 bytes
font_01_sfnt_off00022abd.bin
36193ff54d0f1dccb0e81d066906b6f19848aa69b6a026846614df116502837c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22ABD 4956 bytes
font_02_sfnt_off00023b6d.bin
6e88bff7567c7adf0264024f800e56daddf3100bc69af52d1f0befa3d0a470af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23B6D 15988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.