Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ba1913c5afee5c9…

MALICIOUS

PDF

67.1 KB Created: 2020-08-29 22:04:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b6764afcfd4b0738f0aa2e4ee57d699 SHA-1: 45b450a5bccebf2f1c40c9fb164fb31776498994 SHA-256: 2ba1913c5afee5c93a3dd2401c8642c1f4dfa2ecba3e586fd508738b5e10b48a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=a+long+walk+to+water+download'. This URL is presented within the document body, disguised as a download link for 'A long walk to water'. The file also exhibits characteristics of a PDF SEO link farm, with numerous embedded links to PDFs hosted on 'static.usrfiles.com'. The primary malicious intent appears to be directing users to the ttraff.com domain.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=a+long+walk+to+water+download
    • https://static.usrfiles.com/ugd/b8c837_de08946a9d27462793c77bec0e9c467d.pdf
    • https://static.usrfiles.com/ugd/b8c837_3c00d0d0797c4653b174009bcae3e607.pdf
    • https://static.usrfiles.com/ugd/b8c837_14d5b98d8a524ed79a238b69e8ec879b.pdf
    • https://static.usrfiles.com/ugd/b8c837_07761a20b169468d989b6dfce4f0a24c.pdf
    • https://static.usrfiles.com/ugd/b8c837_0d364dab46e24a209039d58dd30071b8.pdf
    • https://static.usrfiles.com/ugd/b8c837_b905e840e05e4104a64b7ce3b4252619.pdf
    • https://static.usrfiles.com/ugd/b8c837_c3a0684e3e0f4a4e8832b2a17d4eba19.pdf
    • https://static.usrfiles.com/ugd/b8c837_a29c0173d06040b0b845b4705acdf5d5.pdf
    • https://static.usrfiles.com/ugd/b8c837_e20ba82959054b1ebba7fa2ef3a01cef.pdf
    • https://static.usrfiles.com/ugd/b8c837_c5696e3f709347e98e4e32ffb672a74c.pdf
    • https://static.usrfiles.com/ugd/868401_6ea56e7f79274ad1a96bfb4f46d3e67f.pdf
    • https://static.usrfiles.com/ugd/b8c837_a4828b92555b41358da5203a94787f42.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e3d.bin
7649ab40688a2b917e51487de012a4c71016f445a534355e9df8f54d63b5e282		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E3D 18368 bytes
font_01_sfnt_off0000a8e6.bin
89ae6b71b7686772978567d209f29f53ce6a91682ccfe3a1d1f240333c19aa19		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8E6 4960 bytes
font_02_sfnt_off0000b9e2.bin
c5180f021954529a201546e5190c2d3d8d238baf1fb21304a5a38a29cb27994f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9E2 15084 bytes
font_03_sfnt_off0000e8ef.bin
90b7daa565b0eed120eb447b28641e6a168b91f550a87ac71f3250e57c179b3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8EF 16368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.