Malicious PDF — malware analysis report

Static analysis result for SHA-256 21421d4158b7cb10…

MALICIOUS

PDF

35.3 KB Created: 2020-09-02 01:27:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 750a1abc379522dec498208071b56027 SHA-1: 8dac5b230816b65e19ee578607fc955729f0cdec SHA-256: 21421d4158b7cb105333a2c2f9647b99d07a699a9e34df1a0264093ec75485ea
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a lure related to 'usa today crossword answers june 21 2019' and embeds a link to a redirector. This redirector, 'https://ttraff.link/wix?keyword=usa+today+crossword+answers+june+21+2019', is flagged as malicious. The document also contains a large number of embedded links, many pointing to 'static.usrfiles.com', which is identified as part of a PDF link farm. The primary malicious IOC is the redirector URL, which likely leads to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=usa+today+crossword+answers+june+21+2019
    • https://static.usrfiles.com/ugd/dc8a8e_f7e29938110b48bcbb7f5b098275547b.pdf
    • https://static.usrfiles.com/ugd/957c7b_470655bb1cf246788f3cd3a9208efcca.pdf
    • https://static.usrfiles.com/ugd/cb5dea_942e7c4d08734f31be57659ec454890e.pdf
    • https://cdn.shopify.com/s/files/1/0434/8346/3832/files/82926312277.pdf
    • https://cdn.shopify.com/s/files/1/0440/3268/8293/files/ludicrous_speed_piano_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0435/8701/0715/files/clock_in_clock_out_excel_template.pdf
    • https://cdn.shopify.com/s/files/1/0430/1576/6177/files/81892290162.pdf
    • https://cdn.shopify.com/s/files/1/0439/3923/3960/files/32977177727.pdf
    • https://static.usrfiles.com/ugd/ab059d_7b612680a2044ed1bd28ee4b92bcbebe.pdf
    • https://static.usrfiles.com/ugd/90c678_b978fa5d03e048cbb1c42dede1ebb4b3.pdf
    • https://static.usrfiles.com/ugd/0d002d_efc8d6749a11467b9d7838e05f709f13.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049a6.bin
aa327a027c6d1555823b4b61caa4de910c154fa7ca130564f1253de8b91b90ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49A6 5644 bytes
font_01_sfnt_off00005d07.bin
2ead76d02ecbf031e93679e7ed410a052ede20f564a3cf42ebbdf717789886af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D07 10368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.