Malicious PDF — malware analysis report

Static analysis result for SHA-256 27d74f65ba0bd923…

MALICIOUS

PDF

39.9 KB Created: 2020-09-07 00:32:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d88af1eedcd47870ab9627d12f6e225 SHA-1: 6fd87c363cc20a276be25ddc1e20f0c202ea6210 SHA-256: 27d74f65ba0bd923e0d655264d5633a96299aea94bd576ac357972542a83cc05
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one heuristic specifically identifying it as a 'PDF_SEO_LINK_FARM'. Another heuristic, 'PDF_MALICIOUS_REDIRECTOR_LINK', indicates that one of the links points to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.club/wix?keyword=black+veil+brides++2018+setlist, which is likely the primary malicious destination. The presence of numerous links to static.usrfiles.com suggests a coordinated effort to distribute content, potentially as part of a larger campaign.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=black+veil+brides++2018+setlist
    • https://static.usrfiles.com/ugd/4b7290_8fc1c350aedf4088866631fe8ffe04be.pdf
    • https://static.usrfiles.com/ugd/df4650_da7bae4f1fe54d24ba473cf0a666c18e.pdf
    • https://static.usrfiles.com/ugd/f967ac_ce7b1e1a455243c6862d2d29ddacc395.pdf
    • https://static.usrfiles.com/ugd/0789d5_02b84ad949e8458b8bc4c7a45fb91789.pdf
    • https://static.usrfiles.com/ugd/f80014_32f3faa445e745e4a73914b2219fa029.pdf
    • https://static.usrfiles.com/ugd/7c30af_60e898c77cda47ca88be69d12dadef33.pdf
    • https://static.usrfiles.com/ugd/76156b_4d037a2c7cd14605b7683af8efbd4a74.pdf
    • https://static.usrfiles.com/ugd/0a052f_40a0d79ff88540edbb007d050ec4db22.pdf
    • https://static.usrfiles.com/ugd/2f07a1_dadcf3219b544a098d534c3b21f542e6.pdf
    • https://static.usrfiles.com/ugd/3bcfef_918471335487461c8283cace1650669e.pdf
    • https://static.usrfiles.com/ugd/b8c837_dbfb65b7e1a24f628eca6b1112a25e08.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d68.bin
f0d87485a2d3e9ccf2e62708f3146bad9ce52181fbb3d93950ee42a9b161d8b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D68 5764 bytes
font_01_sfnt_off0000611e.bin
748af14d8a567b8a151b1453fd922d1c741f809b809f0cf604bb2f44a881b451		 pdf-font-stream PDF embedded font (sfnt) at offset 0x611E 15488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.