Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff2754fec820a699…

MALICIOUS

PDF

41.9 KB Created: 2020-08-30 04:48:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 484872a3f0b7f7a8e09e982b5783aa27 SHA-1: 741fb0b690691bc1b8fa8d550b6bc118a3610440 SHA-256: ff2754fec820a699fc98ea0b103b1090bee7d32fa7ed69b47842a01eaf633b5f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.ru'. This URL is presented within the document body, disguised as a refusal letter for a job offer. The PDF also exhibits characteristics of a link farm, with numerous embedded links pointing to external PDFs, likely for SEO manipulation or to obscure the malicious redirector. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=refusal+letter+for+job+offer+sample
    • https://static.usrfiles.com/ugd/b8c837_6733231724be44e0b5452b979acb5e2c.pdf
    • https://static.usrfiles.com/ugd/bdeb4c_2e7ae631bbc04b49bd4d71ff98f92717.pdf
    • https://static.usrfiles.com/ugd/6240f8_bb58371713294ab58a96e6b9e09e6144.pdf
    • https://static.usrfiles.com/ugd/ef7b09_c4358d7bafcc463785290c06da04bfa1.pdf
    • https://static.usrfiles.com/ugd/8b9728_4efee30555c04218afed40e66a8fc24e.pdf
    • https://static.usrfiles.com/ugd/576447_feae90e0d66a4ce48b98558305d03452.pdf
    • https://static.usrfiles.com/ugd/b8c837_5ee8e9394f0c476390bdde06fccc6296.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b0760ebcf8242cf9a594d4b66f2709a.pdf
    • https://static.usrfiles.com/ugd/a771bd_7123588d77f641268513b36ed674ff7f.pdf
    • https://static.usrfiles.com/ugd/affb4a_3479b469203d48b2bae7be51a09c9de5.pdf
    • https://static.usrfiles.com/ugd/eaf48f_3ce8d4c8b3ff44fe91fe5f0d5dd78d06.pdf
    • https://static.usrfiles.com/ugd/3b7182_5bf9e600a9af4ce5b21e15a4afd6a11b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066d8.bin
65a12b2dd2c9ba66f00f3978fdab8f497bd5eb43067c1e5abc102ff42ba3ac44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66D8 5268 bytes
font_01_sfnt_off000078b2.bin
1a53a7b593497bab9b1caa4b6767783edbdb90e056fd7a3cd755383443e969e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78B2 10140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.