Malicious PDF — malware analysis report

Static analysis result for SHA-256 eefea2e7fe2a5efe…

MALICIOUS

PDF

41.0 KB Created: 2020-09-02 00:00:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8dd52accf9789356699972774ca942c1 SHA-1: c85bfff8dcaf2e8a2b186535a3b9c714317c2ddb SHA-256: eefea2e7fe2a5efe5e8e7127cbfd1b9a922b04efa74c5ce31c092ab9878b443b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One critical heuristic identified a link to a known malicious redirector at ttraff.ru, which is likely the primary malicious payload delivery mechanism. The document body, though heavily obfuscated, contains the URL that triggered the malicious redirector heuristic, suggesting a social engineering lure related to 'nurseslabs questions and answers'. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=nurseslabs+questions+and+answers
    • https://static.usrfiles.com/ugd/1cfe37_0535924f777040b792f4133c3a801d2f.pdf
    • https://static.usrfiles.com/ugd/b8c837_122c8ffb822842fb91337fd11e7ec27c.pdf
    • https://static.usrfiles.com/ugd/b8c837_72d799f7de07494d9d8d6d4f0dc5e40b.pdf
    • https://static.usrfiles.com/ugd/ee6770_0448b922b3c14c0bb6678bd306c9eb1c.pdf
    • https://static.usrfiles.com/ugd/b8c837_463a20622dd04597870adc58658f5bcc.pdf
    • https://cdn.shopify.com/s/files/1/0434/1425/7815/files/97922480692.pdf
    • https://cdn.shopify.com/s/files/1/0429/9273/0275/files/belagemepajimuwen.pdf
    • https://static.usrfiles.com/ugd/13ae68_e99ccfd02a6f41009226f3f312e6ed24.pdf
    • https://static.usrfiles.com/ugd/217b8a_7a6d4e2eb12f43ed9ccf12691d7fc5ea.pdf
    • https://static.usrfiles.com/ugd/f2ef67_1e0aec437afa4061a8d213eb6c752016.pdf
    • https://static.usrfiles.com/ugd/affb4a_9bdd802a5c7c4cb59c805b40551e1c26.pdf
    • https://static.usrfiles.com/ugd/b8c837_eab1f5ba57d3473eb3ce059b61ccb77c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062e9.bin
8d80c493997e538257743a3149ff53c04ca8fd10f848ded79fd225f02fcb6add		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62E9 5148 bytes
font_01_sfnt_off00007483.bin
1240874b7cde2c20573be5e11dc3fe4db7c435677530dd8cf16a73a7bb792cb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7483 10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.