Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6fbab325a768283…

MALICIOUS

PDF

44.8 KB Created: 2020-08-30 16:54:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a190ebf7f231ec40173f6bc45c79c6a SHA-1: 70021e15a89a62af1c0976719fac405968988e31 SHA-256: f6fbab325a768283d0b5a3b1460890baa20a0561cac7b29edfbdfcea382fc36c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.ru'. The document body, though heavily obfuscated, contains text that appears to be a title related to 'Sherlock Holmes', likely a lure. The presence of a mass external PDF link farm, with many benign Shopify links, suggests a tactic to obscure the malicious redirector among legitimate-looking content. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=sherlock+holmes+1.+sezon+2.+b%25C3%25B6l%25C3%25BCm+al
    • https://cdn.shopify.com/s/files/1/0428/9023/1974/files/farmacos_anticolinergicos.pdf
    • https://cdn.shopify.com/s/files/1/0432/2931/5229/files/advanced_excel_if_formulas_and_functions.pdf
    • https://cdn.shopify.com/s/files/1/0428/7702/6463/files/74041426298.pdf
    • https://cdn.shopify.com/s/files/1/0435/8488/0798/files/48390276139.pdf
    • https://cdn.shopify.com/s/files/1/0435/7039/7339/files/outlook_multiple_attachments.pdf
    • https://cdn.shopify.com/s/files/1/0430/6393/5129/files/allison_transmission_operators_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/5638/9528/files/detugamajelafuxe.pdf
    • https://cdn.shopify.com/s/files/1/0431/3025/7568/files/aetna_choice_pos_ii_plan_coverage_2020.pdf
    • https://cdn.shopify.com/s/files/1/0436/5107/2158/files/41381099415.pdf
    • https://cdn.shopify.com/s/files/1/0440/6788/1125/files/58059454266.pdf
    • https://static.usrfiles.com/ugd/e2c250_ff02c44183864e8d864cb5a4b16a4143.pdf
    • https://static.usrfiles.com/ugd/12f4eb_e8a5f774580b4adcb62dee12aec539b1.pdf
    • https://static.usrfiles.com/ugd/6f53d7_3d42de4099694e85b4bcb59731ed41d0.pdf
    • https://static.usrfiles.com/ugd/b8c837_cfc2266b12354d6bb593e96dbaea740c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f36.bin
59bf78a32927aed1e5f85f36ea49fcce789acd114b1645baa206c40638422781		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F36 5868 bytes
font_01_sfnt_off0000829b.bin
cbefe6d418ee95343f91e9c6bd7171ad9c08ec021a8c89791c23ef90f5fad112		 pdf-font-stream PDF embedded font (sfnt) at offset 0x829B 10460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.