Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c0b2a3537409348…

MALICIOUS

PDF

32.8 KB Created: 2020-09-01 15:37:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5df4406414d30304da8cab1865fcbed7 SHA-1: e993f37103caa85ff4a5493bb4f4f31efc47832d SHA-256: 1c0b2a3537409348b125889b8f9dd81de59625cf17142a247778023827df5b2c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is likely intended to lure the user into clicking on it. The document body, though heavily obfuscated, contains text fragments that suggest a 'weather report' theme, likely a pretext for the malicious redirection. The presence of numerous external PDF links, many pointing to static.usrfiles.com, indicates a link farm strategy, potentially to obscure the final malicious destination or for SEO manipulation. No scripts were extracted, and the PDF structure itself does not indicate further exploitation beyond the embedded link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=mangaon+weather+report
    • https://static.usrfiles.com/ugd/b8c837_0048c07d6de746819895bb2a129e6ea6.pdf
    • https://static.usrfiles.com/ugd/edb4a7_04826d7230e1455781652622b0e8b981.pdf
    • https://static.usrfiles.com/ugd/b47706_2523a10a5a2040479b32f9daa519791b.pdf
    • https://static.usrfiles.com/ugd/b8c837_c45b466862d24e3e9a3067ae7ffe2457.pdf
    • https://cdn.shopify.com/s/files/1/0432/7833/6165/files/kewelurilakebumegeruli.pdf
    • https://cdn.shopify.com/s/files/1/0440/0162/4214/files/us_time_server.pdf
    • https://cdn.shopify.com/s/files/1/0439/3798/8766/files/oxford_discover_4_vk.pdf
    • https://cdn.shopify.com/s/files/1/0438/4836/8288/files/1396879427.pdf
    • https://cdn.shopify.com/s/files/1/0450/5288/7190/files/allelopathy_definition.pdf
    • https://static.usrfiles.com/ugd/cc14e4_554a8ae0b03b43dd9d8b5793b55b12c8.pdf
    • https://static.usrfiles.com/ugd/83f04e_bfd2fa64c2a0453f8b4adbec344c6327.pdf
    • https://static.usrfiles.com/ugd/0fdb6d_ee53be1ed1b741b7921f301204d376e2.pdf
    • https://static.usrfiles.com/ugd/46429b_52dade5e54914ad4b52fc3b4167c22b9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000466c.bin
e2ba88d96fe44d2b0fca3ef776072737dcaa192dff2c64beb8d371456ba02a08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x466C 4968 bytes
font_01_sfnt_off0000576e.bin
0ca1c6201ef89d1fc7b8c4cd2e2ab166d95a178cd76055effd869d88665fc333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x576E 9140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.