Malicious PDF — malware analysis report

Static analysis result for SHA-256 e880b065a0c13c75…

MALICIOUS

PDF

42.7 KB Created: 2020-08-30 07:57:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 534b02e44f3a5be049ac372824aebf21 SHA-1: 656bdcbde5ae86c2aa6556cdda2efb305a09a188 SHA-256: e880b065a0c13c750d619e26419b682d7d6e390379145faaf52d9629a6a7725d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that redirects to a known malicious domain, ttraff.ru. The document body, though heavily obfuscated, contains text related to 'active and passive voice teaching ai' and the malicious URL, suggesting a lure to trick users into clicking the link. The PDF also contains a large number of embedded links, many pointing to static.usrfiles.com, which is flagged as a link farm. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=active+and+passive+voice+teaching+ai
    • https://static.usrfiles.com/ugd/a44510_9b8215d13d5148d4932737ea923547ac.pdf
    • https://static.usrfiles.com/ugd/b8c837_f51bc2012eb84854a7d5e1f9fb98dab3.pdf
    • https://static.usrfiles.com/ugd/63d3ad_4b080211184549c4b0b80e12203e1455.pdf
    • https://static.usrfiles.com/ugd/b8c837_b4b03884629341b3828cbef30e5734d5.pdf
    • https://static.usrfiles.com/ugd/34ec99_70e111f0585b41679893f50857931939.pdf
    • https://static.usrfiles.com/ugd/cbe7f7_a44de3ae770e4f26938fd23aeced3880.pdf
    • https://static.usrfiles.com/ugd/b8c837_0fe6bfb818604b0380d7754413a4b16e.pdf
    • https://static.usrfiles.com/ugd/b8c837_4f30ef273b844e8db05031206df031d2.pdf
    • https://static.usrfiles.com/ugd/b8c837_0480742dd71943639538b7cb4bedafa8.pdf
    • https://static.usrfiles.com/ugd/d902bb_d9ca2ead15f447e198f59ffb95569f42.pdf
    • https://static.usrfiles.com/ugd/ae059d_f7556886925e44b39539b1d8a7648a19.pdf
    • https://static.usrfiles.com/ugd/d4da64_aee43581dfa94e91857658a79c078269.pdf
    • https://static.usrfiles.com/ugd/99afdc_04c499fd50b840d28c82dda3f62e50f6.pdf
    • https://cdn.shopify.com/s/files/1/0429/1674/1286/files/libro_de_cantos_para_difuntos.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/woziki.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067d7.bin
1289f077e6313dc3e07507ae34afd5568a0fa8db35e416ac19966c139bf3faec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67D7 5256 bytes
font_01_sfnt_off000079ba.bin
968c580773b182a0277d93943552a675b13519b9562a419891e9ae5120a18c54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79BA 11008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.