Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f7be43afde80d26…

MALICIOUS

PDF

55.0 KB Created: 2020-09-18 02:59:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04c80ee7614d97d32ec393f0f83cb336 SHA-1: 2b355f9ad1ac842aa14322f05f0e40e8b2ff0e39 SHA-256: 1f7be43afde80d26d8ee21d8b42493b3fdea5c39af6e7e194b87c473cedceb31
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a 'PDF link farm'. One critical heuristic indicates these links point to known malicious redirector infrastructure, specifically `https://ttraff.club/wix?keyword=best+personal+loans+yahoo+answers`. The document body, though heavily obfuscated, also contains this URL, suggesting a lure related to personal loans. The presence of numerous links to external PDFs, many hosted on suspicious domains, further supports the attack pattern of redirecting users to malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=best+personal+loans+yahoo+answers
    • http://files.firststatebaptist.com/uploads/1/3/2/6/132681824/3383757.pdf
    • http://files.michaeljeffress.com/uploads/1/3/0/7/130776067/211667.pdf
    • http://kumezodez.felicityj.com/uploads/1/3/1/4/131452816/girop.pdf
    • http://tosowub.vtfbla.org/uploads/1/3/2/7/132712615/ruzuwuforadaso-xozomufi.pdf
    • http://xisizozaw.mathsinquiry.com/uploads/1/3/0/7/130775951/rirozuz.pdf
    • http://nogov.mx.plumasfiresafe.org/uploads/1/3/1/4/131452917/kezuwatiji.pdf
    • http://files.deltabluesfestival.net/uploads/1/3/1/3/131398504/redek.pdf
    • https://df993517-206f-41b2-8c50-87097bdb6f68.filesusr.com/ugd/2d797c_057a72bbc4b74929b0a8d101f5f58020.pdf?index=true
    • https://f4fa503d-562d-4513-a153-c9400fc68714.filesusr.com/ugd/f80014_77f2ecf6027541c9921f1ae14bbd1217.pdf?index=true
    • https://af0665ce-f27c-443d-a731-8ef713fc1191.filesusr.com/ugd/9f6a24_3ce1f15653a342cfbbd5982dc045d4da.pdf?index=true
    • https://d7aad214-41fe-4400-bbab-492d56b43bca.filesusr.com/ugd/e42c35_2e70b9e4b0684b7d96e8281a6e43a760.pdf?index=true
    • https://d030276c-7b50-45dc-8bfd-cbfc0d7fd8f4.filesusr.com/ugd/37321e_41c85ef0d88d41edb97d6484e82ebf11.pdf?index=true
    • https://14fec5c5-2eac-40b8-9f84-e415a7aa3cf7.filesusr.com/ugd/808cd0_736614e0c9c8446da9a7ac0a5264cb48.pdf?index=true
    • https://368f29c5-e995-459b-be4a-504fb4c59ac6.filesusr.com/ugd/5de1df_25f98029733341babc0d20b7a9bb3ec4.pdf?index=true
    • https://243e0c63-ad2c-4a8c-b2db-ae015a159f19.filesusr.com/ugd/ff68bb_1502b75db6d14bb39708b526de859696.pdf?index=true
    • https://c269a085-50e3-489c-bb1c-a705c88623f1.filesusr.com/ugd/fe0276_30f86ce5f1a24931bc22d8c909a36199.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000990d.bin
5c1f601be7fbc63aa91e68779c065be7abf12bac1c336a22265f304f4945c0d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x990D 5152 bytes
font_01_sfnt_off0000aaa3.bin
19936f2a257cb04418a01d30e590762d1d38ba8f9a88fc67612d2ffe0065b945		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAAA3 10620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.