Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e9b5421001beed7…

MALICIOUS

PDF

40.9 KB Created: 2020-08-31 03:47:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93b34b6b86fd9f4554caffef9214cced SHA-1: 6b121ff814a31a5aaef06c2e52e51e8099464274 SHA-256: 1e9b5421001beed7c35f7ffca0a817ca14b2130d33aec3847765918ebaf470b0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.com'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to 'static.usrfiles.com'. The overall pattern suggests a phishing attempt designed to redirect users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=livro+de+ciencias+8+ano+respostas+2018
    • https://static.usrfiles.com/ugd/dcfb95_0123b516e0484562a1bff7306789d338.pdf
    • https://static.usrfiles.com/ugd/405339_b0b10e4a8e354dc5b9a512cdd959e256.pdf
    • https://static.usrfiles.com/ugd/74c34a_46dabf89baa04d488f89ce7333137cda.pdf
    • https://static.usrfiles.com/ugd/b8c837_41934b2beee5442ca25610b90fd6c930.pdf
    • https://cdn.shopify.com/s/files/1/0437/1572/3414/files/81903458313.pdf
    • https://cdn.shopify.com/s/files/1/0430/9565/4567/files/96818551654.pdf
    • https://cdn.shopify.com/s/files/1/0434/6331/1513/files/flute_sheet_music_video_games.pdf
    • https://cdn.shopify.com/s/files/1/0431/0004/5469/files/jivafopomiziveraz.pdf
    • https://cdn.shopify.com/s/files/1/0429/6504/1311/files/lextran_bus_tracker.pdf
    • https://static.usrfiles.com/ugd/b8c837_d8c547cbf4ad45df9bf4e94c2775807b.pdf
    • https://static.usrfiles.com/ugd/d5415a_97cf8341a74541eeb43ec44be88ac379.pdf
    • https://static.usrfiles.com/ugd/eaf48f_85f279f04a9d432eb7587d5fe1e78884.pdf
    • https://static.usrfiles.com/ugd/f84671_575c477f67884e819cb5cbb36dcb8c48.pdf
    • https://static.usrfiles.com/ugd/921909_28baf9b49bef4fa0bc3918bec0354ec8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c2f.bin
774a11a2b9437e7825d7f044c5d26a1832bd9783a74ca5ef7efda301d62c2479		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C2F 5556 bytes
font_01_sfnt_off00006f2c.bin
56e47bc2984d6eef24d1475a0918571934b21b675665edb95164a54f38c44cda		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F2C 12876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.