Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed0324c71438ec1e…

MALICIOUS

PDF

40.2 KB Created: 2020-08-30 10:13:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 873e11ac20bbfe30c2fd9c0ed934fbad SHA-1: 8f4898cd680aa9bfcc2ed9b7671a6ae44f2c4643 SHA-256: ed0324c71438ec1ef8d21ac0317c58ac95a471ef1fbd2af4608412e8c118d090
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wix?keyword=bobcat+t650+manual'. This URL is presented within the document body, disguised as a search result for a manual. The file also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external PDF documents. The primary malicious IOC is the redirector URL, which likely leads to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=bobcat+t650+manual
    • https://static.usrfiles.com/ugd/d1c05f_895c479a2ee4424886083a8f1f1a55a3.pdf
    • https://static.usrfiles.com/ugd/b8c837_98e690e6f0534ebfbdd6ce7f5ef469b0.pdf
    • https://static.usrfiles.com/ugd/b8c837_61dc039615f94bcd81525e48d6b394d8.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5c3234a0c6d4ca9ad8487bff3f9df42.pdf
    • https://cdn.shopify.com/s/files/1/0439/8376/5662/files/brain_teaser_quiz.pdf
    • https://cdn.shopify.com/s/files/1/0438/2264/5408/files/gelaju.pdf
    • https://static.usrfiles.com/ugd/824332_63687499a2454652825dbc53916b35d0.pdf
    • https://static.usrfiles.com/ugd/3f80ec_eea7d52bb20a4fc489646d830495daa1.pdf
    • https://static.usrfiles.com/ugd/a4d998_e5175574db774ba7905736f60a440549.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ff9788c1ca747e0bfb57631ec50b7d4.pdf
    • https://static.usrfiles.com/ugd/67f5f7_386b271124c5452aac4700b8a58df45b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fac.bin
4fbea67763af4a59d687928047ead5ebe4e4c5b55370a4cab642e5c4e91dfb9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FAC 5280 bytes
font_01_sfnt_off0000718b.bin
3a8d74fc7e02b0276987115cb0f641eeb536f85d3995d07bf0090c37a21df526		 pdf-font-stream PDF embedded font (sfnt) at offset 0x718B 10260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.