Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f5c9169fe95626a…

MALICIOUS

PDF

49.0 KB Created: 2020-08-28 23:21:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 784060d534979171092cf290a98d0c39 SHA-1: 4125a2fb201b0a020a7039129fb08bf8ce225300 SHA-256: 1f5c9169fe95626a84fd4d06243787c588f8929318b5eb22c61c4f2a51486444
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of these links, ttraff.com, is identified as a malicious redirector. The document body, though heavily obfuscated, contains the same URL, suggesting the primary intent is to trick the user into visiting this malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=wow+enchanting+guide+classic
    • https://static.usrfiles.com/ugd/b8c837_c17d130facb3441690e2030855741e61.pdf
    • https://static.usrfiles.com/ugd/b8c837_c9cfdad9411f46a3af873fc3decc710c.pdf
    • https://static.usrfiles.com/ugd/b8c837_d92458ecee1c45c6b35af5bffbd129bb.pdf
    • https://static.usrfiles.com/ugd/b8c837_71be042c184646ac8824a5897df6df64.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc5c1ca9c9a94096a5d4d6580337202a.pdf
    • https://static.usrfiles.com/ugd/b8c837_9789c00d347f4b03877ef1bc5c59f908.pdf
    • https://static.usrfiles.com/ugd/b8c837_ba1c95c30cf7409fb381c6f1eafe6daf.pdf
    • https://static.usrfiles.com/ugd/b8c837_d1edcb8a83c94dfea2c829b95e17ac54.pdf
    • https://static.usrfiles.com/ugd/b8c837_a2c4bba5127a4c2b93fd32c817457492.pdf
    • https://static.usrfiles.com/ugd/b8c837_54aff90327a942fe8d998f90f4cc31ad.pdf
    • https://static.usrfiles.com/ugd/b8c837_dc3a4bf614a94e6e851c34e062a6ec3f.pdf
    • https://static.usrfiles.com/ugd/b8c837_6c308b80a8334f6cbbac0840859dd934.pdf
    • https://static.usrfiles.com/ugd/b8c837_f9041e3a4ecf47f2bb1f5f26774a73c0.pdf
    • https://static.usrfiles.com/ugd/b8c837_a0bad03dd9e14df385d2d34b03e16fb8.pdf
    • https://static.usrfiles.com/ugd/b8c837_a3a449a4cffc487d994f167b764bb8c3.pdf
    • https://static.usrfiles.com/ugd/b8c837_09afb7bc9c834125bc5547bdd4df0aea.pdf
    • https://static.usrfiles.com/ugd/b8c837_f48536f7208c499baacd5fd2431ace0c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008076.bin
2e951c9a35a9df4d23fe79eefa871c78a6c4dc185124eebfad57a2c1c6c2d9a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8076 5212 bytes
font_01_sfnt_off0000923f.bin
2de76618fd4da910f13134666bf4f6726edfc1eb3f5f36cde285252b0ffa3cf9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x923F 10980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.