Malicious PDF — malware analysis report

Static analysis result for SHA-256 202f1c7e46823ceb…

MALICIOUS

PDF

44.2 KB Created: 2020-09-01 00:12:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8cbce9469b91b4006f19528c741ddf9e SHA-1: 3f0a50673199ca052bdf68cdcd00ed523050103a SHA-256: 202f1c7e46823cebacc58a295c99f714721c1bad6184e4ff1318c4353787bd20
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.com, which is designed to lure users to malicious content. The document body, though heavily obfuscated, contains the same URL and appears to be a lure related to writing a physics lab report conclusion. The presence of numerous external PDF links, many hosted on static.usrfiles.com, suggests a link farm or SEO poisoning tactic to distribute the malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=how+to+write+physics+lab+report+conclusion
    • https://static.usrfiles.com/ugd/b6edda_660b4c005cbb4a14b952cf2383560d32.pdf
    • https://static.usrfiles.com/ugd/5a1791_51e7ba60501d462eafcad4cf576f7689.pdf
    • https://static.usrfiles.com/ugd/90c678_63cca6748db443dba25a795793c1a2b2.pdf
    • https://cdn.shopify.com/s/files/1/0431/8419/3697/files/2035557717.pdf
    • https://cdn.shopify.com/s/files/1/0431/0751/6565/files/domipexevudadobadoz.pdf
    • https://static.usrfiles.com/ugd/e73fea_7639614b8ed7434ea5954f1ec3e764d4.pdf
    • https://static.usrfiles.com/ugd/b8c837_4e20110fd41f4636b6ca4aa6395a8683.pdf
    • https://static.usrfiles.com/ugd/40b9e6_1545285ff2fa4b38b0f99c1479100855.pdf
    • https://static.usrfiles.com/ugd/b8c837_25ce794ea87541828f2e8ce8877a5f8f.pdf
    • https://static.usrfiles.com/ugd/83b1b3_f599f3ea1af14f3984968146ae658174.pdf
    • https://cdn.shopify.com/s/files/1/0428/2351/6323/files/ghazwa_khandaq.pdf
    • https://cdn.shopify.com/s/files/1/0434/3418/0769/files/73576198929.pdf
    • https://cdn.shopify.com/s/files/1/0434/3654/0056/files/27428426668.pdf
    • https://cdn.shopify.com/s/files/1/0428/5313/8591/files/lalej.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e2a.bin
7b7fa7fa7cd0a33f2cdd044abe4890d42ce644e838a567d89c870f9871a97ede		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E2A 5316 bytes
font_01_sfnt_off0000804b.bin
eb128bdfe4a5debfbc5a89cd81b8fa59bee561e5e357ff2fb55c4a7592ef94aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x804B 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.