Malicious PDF — malware analysis report

Static analysis result for SHA-256 eefa619234a78846…

MALICIOUS

PDF

42.6 KB Created: 2020-08-30 11:47:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41410303ee03ebcabec867db6902eab1 SHA-1: 6621bd4016f658ce7eb7e54666c91ce1c8fed8f7 SHA-256: eefa619234a788465897d77e5773eaa0363ee48dac2f15a8dc5344a54e269b15
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of embedded links, a technique often used to create link farms for SEO manipulation or to redirect users to malicious sites. One of the primary URLs, 'https://ttraff.ru/wix?keyword=stats+data+and+models+third+canadian', is flagged as a known malicious redirector. The document body contains garbled text but also includes this URL and other PDF links, reinforcing the link farm heuristic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=stats+data+and+models+third+canadian
    • https://static.usrfiles.com/ugd/0df15e_81ec43c8da4342f3973d237ec2a35be8.pdf
    • https://static.usrfiles.com/ugd/b58d21_e8644eb2defc40f5af1d210a568b503a.pdf
    • https://static.usrfiles.com/ugd/b5aed9_d1a0bf6082eb4c2e903a0b8538666be4.pdf
    • https://static.usrfiles.com/ugd/b85eb0_67849f46458242c788c2902a43801827.pdf
    • https://cdn.shopify.com/s/files/1/0431/2629/2629/files/linux_mint_bootable_usb.pdf
    • https://cdn.shopify.com/s/files/1/0428/2423/7212/files/84809228739.pdf
    • https://static.usrfiles.com/ugd/b8c837_baae777784bb4397a14ffd8809009b05.pdf
    • https://static.usrfiles.com/ugd/b8c837_c0d43d1519814115b32301c81109aad9.pdf
    • https://static.usrfiles.com/ugd/4dd980_3e76631761e84a89ae1362576b3ed159.pdf
    • https://static.usrfiles.com/ugd/105a8c_67200cd9f8484a5b895d65788670b4ab.pdf
    • https://static.usrfiles.com/ugd/07e02c_c08dba8e094744e79b26cd75bb5b72bc.pdf
    • https://static.usrfiles.com/ugd/b8c837_6b7033b76afb4be58cc8b6af50ca52f8.pdf
    • https://static.usrfiles.com/ugd/b8c837_e8f9b1f3727c49e0a214c508011206bd.pdf
    • https://static.usrfiles.com/ugd/934fc3_d79b34e1a5184879b31b7384458466dd.pdf
    • https://static.usrfiles.com/ugd/b8c837_9bff50e9c78c483594f051e38d170046.pdf
    • https://static.usrfiles.com/ugd/b8c837_e152ae9b6e3b4857980a9bbd5936e161.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065c4.bin
eac5be65cf5a75dc8e18f5eee176cbb487b921563fcf12436a51a8d2aba8a3d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C4 5284 bytes
font_01_sfnt_off00007777.bin
692ca6683358986d3b962d785fcb1d07879300f7cb47837425ffb2e6c2cc18f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7777 11128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.