Malicious PDF — malware analysis report

Static analysis result for SHA-256 f87eb33151ad6c9c…

MALICIOUS

PDF

45.4 KB Created: 2020-09-01 00:14:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60785abaa30b665e2ef36a71298a8e69 SHA-1: 4dae6c84fe97c1dca9b9a2812bf1db43288fc469 SHA-256: f87eb33151ad6c9cb3f77465fd89b2f998d7ebe4572a2920db817e34e9b090f7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic indicating it links to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.ru/wix?keyword=frontier+fios+channel+guide+2018', which is flagged as malicious. The file also contains a large number of embedded links, many pointing to Shopify, suggesting a link farm or SEO manipulation tactic to distribute malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=frontier+fios+channel+guide+2018
    • https://cdn.shopify.com/s/files/1/0434/5813/4182/files/castor_informatique_concours_algorea.pdf
    • https://cdn.shopify.com/s/files/1/0436/0205/1235/files/2614540309.pdf
    • https://cdn.shopify.com/s/files/1/0433/5930/5880/files/poweredge_t330_server_datasheet.pdf
    • https://cdn.shopify.com/s/files/1/0433/6422/1077/files/earthguide_diagrams_atmosphere.pdf
    • https://cdn.shopify.com/s/files/1/0431/8176/8872/files/25139859645.pdf
    • https://static.usrfiles.com/ugd/9421c8_d567def10c584ad2baec835ce6814a7f.pdf
    • https://static.usrfiles.com/ugd/6da380_b4fd7ea94a744bbfbe3ff375ee5cb0cf.pdf
    • https://static.usrfiles.com/ugd/d94ae5_f0bdcdb2eed04f6c8d77dfe426c991a8.pdf
    • https://static.usrfiles.com/ugd/5ed537_425c8d75f03f4c008fe630ab10aafbac.pdf
    • https://static.usrfiles.com/ugd/dd4472_e86f47c1125b4e718d687c7f4ff6a43e.pdf
    • https://static.usrfiles.com/ugd/df73ab_5af3547f0a78424e9462e95bfc396cfd.pdf
    • https://static.usrfiles.com/ugd/c63dba_ec14e8b874c64594887d1d72ac90124f.pdf
    • https://static.usrfiles.com/ugd/10e3af_a3619703e59945cea4db0a1aa481f599.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000723a.bin
532de4a30f1ca5f72e050b848ad6f3b849fc3bfa05e722bd1bee1bb69c1525a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x723A 5756 bytes
font_01_sfnt_off000085cd.bin
a8b7ee4a63a239ae3fc66603b571830a30c9b69b632a89498ef17a152ce34912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85CD 10384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.