Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a6f250ba2ef6279…

MALICIOUS

PDF

45.1 KB Created: 2020-09-01 03:21:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b952e1b1f045925528a2b5c2b336a02 SHA-1: b5eab518b4d241c8cf0b2513ec0135936e6d7002 SHA-256: 2a6f250ba2ef627917e889338f6578dd167ff2d17a8bae0d9c96b85ce9589ad1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating it links to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.cc/wix?keyword=intel+processors+performance+order', which is also flagged as malicious. The file also contains a large number of external PDF links, many hosted on static.usrfiles.com, suggesting a link farm or redirection strategy. No scripts were extracted, and the document body did not provide clear textual lures.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=intel+processors+performance+order
    • https://static.usrfiles.com/ugd/affb4a_eb07600bd5934ebd98273080cec0884a.pdf
    • https://static.usrfiles.com/ugd/c5d40f_b0c8fd1a0a714f29829c4bb2bb345c23.pdf
    • https://static.usrfiles.com/ugd/d5415a_f58b8d737ce34d4c88df9f5a9650521f.pdf
    • https://static.usrfiles.com/ugd/b7ab08_40b3441224034b11add90f167a0c69f6.pdf
    • https://cdn.shopify.com/s/files/1/0430/1104/7575/files/32044957974.pdf
    • https://cdn.shopify.com/s/files/1/0459/7311/0951/files/54276294463.pdf
    • https://cdn.shopify.com/s/files/1/0431/5765/1613/files/12116425808.pdf
    • https://cdn.shopify.com/s/files/1/0429/4973/8650/files/nemexe.pdf
    • https://static.usrfiles.com/ugd/b8c837_423f1dee98b64e0db23e64b60ffe3dff.pdf
    • https://static.usrfiles.com/ugd/50de67_0edc975616b94dc7ae3f153db1f88af8.pdf
    • https://static.usrfiles.com/ugd/3f80ec_953245752eca4982bd8d258bb4ae5190.pdf
    • https://static.usrfiles.com/ugd/8a419d_cf658839c7464687ae9b032afa1a00af.pdf
    • https://static.usrfiles.com/ugd/4ae4db_3328dad468bc4b2dae1d4a1d61054e38.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_224a8321579e40b2a303764319a7850f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000649d.bin
5ee64e0015c5753ba9186d074bb30a3b328f82b1955942c8b643f63c0f61c3f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x649D 5236 bytes
font_01_sfnt_off00007656.bin
bc32af28242015f4e252b74b7bd6e61b5317d848f388df5a9e1a75d1b6ee358d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7656 15488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.