Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ecca8ed63cf0fd5…

MALICIOUS

PDF

44.1 KB Created: 2020-08-31 08:30:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 560a117cbb7304f0997d66cb41d062ef SHA-1: 7b083da4de45daa02354abc9371f18986bf755a7 SHA-256: 2ecca8ed63cf0fd54e0963f123b57a1a5288da4315641cfdb974c7eb8fc21777
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one heuristic identifying it as a PDF link farm. The primary malicious URL, https://ttraff.com/wix?keyword=katia+pallaoro+facebook, is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to lure users to external sites. The presence of numerous links to static.usrfiles.com, while flagged as benign, contributes to the overall link farm characteristic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=katia+pallaoro+facebook
    • https://static.usrfiles.com/ugd/b8c837_3bd5f229bb2d4ace8ce9d91a1189196a.pdf
    • https://static.usrfiles.com/ugd/b8c837_e7c1df167c7144dcb2e091af2a92c45b.pdf
    • https://static.usrfiles.com/ugd/b8c837_a2a807880bc94fa796a6c93447feb93f.pdf
    • https://static.usrfiles.com/ugd/b8c837_bad46709eed94c46926a22702f232f21.pdf
    • https://static.usrfiles.com/ugd/b8c837_2178fc3e576e45d3806a5c0956ce27b2.pdf
    • https://static.usrfiles.com/ugd/18f527_31ed9e59b5a94fb09bd8490d58fbc65c.pdf
    • https://static.usrfiles.com/ugd/99afdc_622673dc4d874c178b6900c8fb42bb14.pdf
    • https://static.usrfiles.com/ugd/b4609a_018743af5dda4fb3bddbbe187889156f.pdf
    • https://static.usrfiles.com/ugd/b8c837_eb4fea33ec3547b69151513ee97c5c2e.pdf
    • https://static.usrfiles.com/ugd/b8c837_e7636953b3c9450b99517d154c542f6f.pdf
    • https://static.usrfiles.com/ugd/b8c837_e7dec993685842a59996048e02d31b77.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005472.bin
40f4caeb4c427c868707d6be994d389d562942cf3e2feea85f7c9d851f19c28b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5472 3240 bytes
font_01_sfnt_off00005ffe.bin
2358101911077d2c9ce1bf10b15dd0b8f9732fc4732420330eba0794c81f0649		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FFE 5004 bytes
font_02_sfnt_off00007108.bin
6cd2edce14ab3811fc6a014f214af3de68626bb767cfcfb5817ab341485bf064		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7108 3484 bytes
font_03_sfnt_off00007e59.bin
e618fdc69ddbc0d13bbf89d4506358b96e5fb4bc3c1e5fca47c6979617638e02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E59 11140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.