Malicious PDF — malware analysis report

Static analysis result for SHA-256 279394f6a3f52a66…

MALICIOUS

PDF

58.0 KB Created: 2020-09-01 19:31:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6fe44f5da5f31d0864d99db4c2eb77c2 SHA-1: 8b6b63898ae77339b9ec22b78f2ab2391a550328 SHA-256: 279394f6a3f52a660338c6edd2a6300e8f9fe871c2eab7bf35de0b4a4d39771f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of these links, disguised as a guitar chords PDF, redirects to the malicious domain ttraff.club. This indicates a social engineering attempt to trick users into visiting a potentially harmful site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=guitar+chords+songs+for+beginners+pdf
    • https://static.usrfiles.com/ugd/b8c837_88e3500285b94696bd11af5ced4611ed.pdf
    • https://static.usrfiles.com/ugd/b0b521_7ee52ae4ca134f3dbd8341fc6820df5a.pdf
    • https://static.usrfiles.com/ugd/b8c837_20166433681549e3a1ae798c37568a2c.pdf
    • https://static.usrfiles.com/ugd/b8c837_506ecb35fdbd4189b8bc2a72fbc73606.pdf
    • https://cdn.shopify.com/s/files/1/0431/5886/4028/files/adobe_after_effects_cs6_full_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0428/4032/6300/files/28910504670.pdf
    • https://cdn.shopify.com/s/files/1/0433/8538/9206/files/xetuvikidufosaluruja.pdf
    • https://cdn.shopify.com/s/files/1/0440/6067/2165/files/showtime_rotisserie_manual.pdf
    • https://static.usrfiles.com/ugd/39d081_e509e4eeaf6a44629e0b622ff3e037c4.pdf
    • https://static.usrfiles.com/ugd/82e28d_28d94bf8996e4fd99644ac8391821ef7.pdf
    • https://static.usrfiles.com/ugd/98e298_d699542850424a9cb40daae1ad449229.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ed6f6ed7cc54df5bfc99d64364d70cb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009826.bin
1541f4fdf1ae35cbdf428b1624c0248c57a97acaac79345753e945c3159af747		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9826 5556 bytes
font_01_sfnt_off0000aafa.bin
fa28dc7c6aa3c8d1da464b08fa0f2fa4bd33c85922dc9253c45d8556e4bcae33		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAAFA 3272 bytes
font_02_sfnt_off0000b7d9.bin
ce42441f346ecce7fa084e0df3125565fcc1bd2907333801329da7a82ad88eda		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB7D9 10320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.