Malicious PDF — malware analysis report

Static analysis result for SHA-256 25b0ad4da5c6305e…

MALICIOUS

PDF

42.5 KB Created: 2020-09-09 03:06:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ddc56548f67b4c3f1372e8eb9a68dd2 SHA-1: 26fdb6f1264130fa1bc86514f2b75bceb75117e5 SHA-256: 25b0ad4da5c6305edd4eb333682dc2ebd8e8574ae7e40d576a3a5def50fb2b7f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to `https://ttraff.me/wix?keyword=transparent+hologram+sheet+sticker`. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with `https://static.usrfiles.com/ugd/ca32a8_f9068930b2774a249a92d2dfcd2d57e0.pdf` being the first identified. The document body, though heavily obfuscated, contains text related to 'transparent hologram sheet sticker' and the malicious URL, suggesting a lure to entice users to click the link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=transparent+hologram+sheet+sticker
    • https://static.usrfiles.com/ugd/ca32a8_f9068930b2774a249a92d2dfcd2d57e0.pdf
    • https://static.usrfiles.com/ugd/2a2e94_1d0e9bf76cab4cc39ea5e7c9e3bec060.pdf
    • https://static.usrfiles.com/ugd/33c377_2f794b91f3e74e2685296bd88d86b063.pdf
    • https://static.usrfiles.com/ugd/9ced5d_d941e6f5eb8c428c88435c3a6fce9820.pdf
    • https://static.usrfiles.com/ugd/a2e20a_2184a36b131a48a1b2c76c6f49a4f60b.pdf
    • https://static.usrfiles.com/ugd/271e65_aeb8cb22f6854b6cb685e56e6d44ad95.pdf
    • https://static.usrfiles.com/ugd/b50c55_42b7c284ac3a45e084d5ab5173580e2b.pdf
    • https://cdn.shopify.com/s/files/1/0434/7835/2025/files/darkest_dungeon_expedition_guide_far.pdf
    • https://cdn.shopify.com/s/files/1/0433/9708/7390/files/disololanetifelu.pdf
    • https://cdn.shopify.com/s/files/1/0440/9108/0869/files/demon_hunter_pve_guide_bfa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/fil

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067bd.bin
b682324987c4d272a7f3f4f9d562fe94c1ea807119c042bc59295450663fa863		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67BD 5360 bytes
font_01_sfnt_off000079d2.bin
e3f884c42f5f41301a08a084606514d174f09e9073f8a076d5b54c2ba79ac2a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79D2 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.