Malicious PDF — malware analysis report

Static analysis result for SHA-256 24fea2b423a59716…

MALICIOUS

PDF

53.0 KB Created: 2020-09-05 14:53:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78e17a92bb124ad02d9ede32c2beddfc SHA-1: 019e525994bc4898c378a7cffbbd6cfb73a95c08 SHA-256: 24fea2b423a59716b1a23f02e5651cc4baf6c844792014482615246b23d420cd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to malicious infrastructure. The embedded URL, 'https://ttraff.club/wix?keyword=australia+visa+form+1419', is presented as an Australia visa form, serving as a lure. Another critical heuristic, PDF_SEO_LINK_FARM, indicates the PDF contains a mass of external links, further supporting a malicious intent to redirect users.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=australia+visa+form+1419
    • https://static.usrfiles.com/ugd/3dd68e_759feea2b98b4bd1a7339c0373e14e2b.pdf
    • https://static.usrfiles.com/ugd/e2c223_d5dbf27e81f74c0180275fa1838038c7.pdf
    • https://static.usrfiles.com/ugd/b27199_518afa2786a547d29fdeae22e2a9b153.pdf
    • https://cdn.shopify.com/s/files/1/0437/0238/6856/files/23690665178.pdf
    • https://cdn.shopify.com/s/files/1/0434/4309/3660/files/babupozanujun.pdf
    • https://cdn.shopify.com/s/files/1/0427/4293/9814/files/free_printable_esl_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0428/4612/6247/files/design_thinking_2020.pdf
    • https://static.usrfiles.com/ugd/1c8c6c_8d92acffc637492b833f302dcd4cf8ef.pdf
    • https://static.usrfiles.com/ugd/3e9e83_2f0591b2dce14f64abcae63611074788.pdf
    • https://static.usrfiles.com/ugd/ea2f88_d364fb3dec244d01ab840b29afd73815.pdf
    • https://static.usrfiles.com/ugd/4ae4db_d0605ca5df7b468a9ebd215568d41b35.pdf
    • https://static.usrfiles.com/ugd/599f1c_734572fd15dd4d8889102e29a8fc362e.pdf
    • https://static.usrfiles.com/ugd/e2a635_08414a92fe224d58ad9db0192f4d0516.pdf
    • https://static.usrfiles.com/ugd/9bd8c3_fc0fbefc8efc4ef1a885a82d792c162f.pdf
    • https://static.usrfiles.com/ugd/5b9a87_92f6349ea55340b4af1a66114c9c5119.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009223.bin
5b73fa74d0f57eebb878f936184d10223dc449bd2f1b693b4ad44dbe9e8916ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9223 5260 bytes
font_01_sfnt_off0000a3ff.bin
d81bef64e31d5b18080af262383de4e829d1a32ce98e8039b16c3e75bba8fb29		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3FF 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.