Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc8c2c752419a586…

MALICIOUS

PDF

40.0 KB Created: 2020-08-29 02:22:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c3e79a1c202a1385ef08cb21e8fb230 SHA-1: edd7cfa92a21807a7f5791175ce6bcb57a7f4722 SHA-256: fc8c2c752419a586fff69bcd439b9667b72b2703240f6f098c997b002d83b5de
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one heuristic identifying a direct link to a known malicious redirector. Another heuristic flags the document as a link farm, with 16 external PDF links. The primary malicious URL identified is https://ttraff.ru/wix?keyword=bjt+transistor+types. The document body appears to be heavily obfuscated or corrupted, but the presence of URLs and the heuristics strongly suggest a phishing or redirection attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=bjt+transistor+types
    • https://cdn.shopify.com/s/files/1/0429/9191/1066/files/antagonistas_receptores_h2.pdf
    • https://cdn.shopify.com/s/files/1/0440/4386/2181/files/pepikapigopexo.pdf
    • https://cdn.shopify.com/s/files/1/0433/1552/7833/files/78401265021.pdf
    • https://cdn.shopify.com/s/files/1/0435/6702/2239/files/nenudeva.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/65496272691.pdf
    • https://cdn.shopify.com/s/files/1/0432/3550/8387/files/widenipakemilaberas.pdf
    • https://cdn.shopify.com/s/files/1/0435/8946/8328/files/antenna_webdesign_studio_2._7_full.pdf
    • https://cdn.shopify.com/s/files/1/0427/9474/6023/files/setudixekob.pdf
    • https://cdn.shopify.com/s/files/1/0445/8535/3380/files/diagnostico_empresarial_de_una_empresa.pdf
    • https://cdn.shopify.com/s/files/1/0431/3631/9645/files/dupasa.pdf
    • https://cdn.shopify.com/s/files/1/0427/5588/3175/files/gokakimokimenujoxilinaben.pdf
    • https://static.usrfiles.com/ugd/b8c837_d413f66ba2754318983edc8952c2a461.pdf
    • https://static.usrfiles.com/ugd/b8c837_1d24299663f74cb9828fc4d8b1de3ae4.pdf
    • https://static.usrfiles.com/ugd/b8c837_df138d8e91464135ba6ad496f8f6ca03.pdf
    • https://static.usrfiles.com/ugd/b8c837_14adb31cc52b42c2910f88d46b30196b.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5b202edd1044a25b199b1d41445b8c9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006079.bin
d05bf525952efd76a5ae6868826064c9c27cfc7cbb52c93b4b0d9cf437ec4394		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6079 5008 bytes
font_01_sfnt_off0000719a.bin
20e3bef17b542576176f3889566674091170ec6ac241733bf2d511a535ac996e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x719A 9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.