Malicious PDF — malware analysis report

Static analysis result for SHA-256 207ead43ce6bb195…

MALICIOUS

PDF

41.3 KB Created: 2020-08-31 01:17:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c75215dede19a7223ee373bf258a1765 SHA-1: b0d1b9965bc7a0bf5f3e919c1f0cc6199de12161 SHA-256: 207ead43ce6bb19588bafd530741bd5e3e2cd8784aa522bb37da200cd4160de9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of these links, https://ttraff.cc/wix?keyword=ppsspp+cso+games+list, is identified as a malicious redirector. The document body, though heavily obfuscated, appears to contain text related to games and the malicious URL, suggesting a lure to entice users to click the link. The presence of a 'Password-protected archive handoff' heuristic indicates that this PDF might be part of a multi-stage attack where the user is instructed to download an archive, potentially containing further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=ppsspp+cso+games+list
    • https://static.usrfiles.com/ugd/b8c837_89144cee0e56416bb73b154dfc3b7f77.pdf
    • https://static.usrfiles.com/ugd/b88e3d_fb9110bb9ca24ca3a4b2068abbdb803e.pdf
    • https://static.usrfiles.com/ugd/b8c837_b07cb329512d4054949d76341b293a75.pdf
    • https://static.usrfiles.com/ugd/b914b5_e2834dbc6851417987563540f6de9038.pdf
    • https://static.usrfiles.com/ugd/23b571_3010549adbab417d98355f8457c38349.pdf
    • https://cdn.shopify.com/s/files/1/0463/0455/9261/files/debarge_greatest_hits.pdf
    • https://static.usrfiles.com/ugd/b8c837_a30388abdfd24672a16a5c465e37949b.pdf
    • https://static.usrfiles.com/ugd/b8c837_87e67cb6cc884dda9b20febff742b9d9.pdf
    • https://cdn.shopify.com/s/files/1/0436/1184/8861/files/arduino_ide_datasheet.pdf
    • https://cdn.shopify.com/s/files/1/0434/6963/5749/files/lateral_thinking_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0437/8198/0317/files/17747362987.pdf
    • https://cdn.shopify.com/s/files/1/0436/8809/9993/files/html_to_converter_c_open_source.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006316.bin
38ffa0d07b8469c7471fbb9bf7f7ad4dd2be2321dd622ec95363fb6e820880b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6316 5156 bytes
font_01_sfnt_off00007492.bin
e8b12b2db455f6447a6b6cd1d26f1906970b1d17bf6686460b9bcb482704fba9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7492 10700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.