Malicious PDF — malware analysis report

Static analysis result for SHA-256 303c731cc5644a9a…

MALICIOUS

PDF

41.0 KB Created: 2020-09-12 03:12:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 53e5f8e030d27c95810658e701677037 SHA-1: 902303894abe3e8f040ac91ac117d2d6ee2facfd SHA-256: 303c731cc5644a9abd95acc068a52efc00322d12857ab8eeb7d41ac4e2740fb9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to its structure, which includes a significant number of embedded links. One critical heuristic firing indicates a PDF redirector link pointing to 'ttraff.club', a known malicious domain. Another heuristic identified a PDF link farm, with many links pointing to 'static.usrfiles.com'. The document body contains the URL 'https://ttraff.club/wix?keyword=live+chat+application+for+pc+free', suggesting a lure related to software downloads. The combination of these factors strongly indicates a malicious intent to redirect users to harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=live+chat+application+for+pc+free
    • http://files.insitju.com/uploads/1/3/1/4/131437249/zutomatimixega.pdf
    • http://files.ianjkeddie.com/uploads/1/3/0/8/130874207/besosolexiga.pdf
    • http://lirov.teesdalechallengewalks.net/uploads/1/3/1/6/131636755/2976907.pdf
    • http://files.goldenspiraldesigns.com/uploads/1/3/0/7/130740232/5083549.pdf
    • https://static.usrfiles.com/ugd/23b571_7d3b1748363342518c13d675a2235c05.pdf
    • https://static.usrfiles.com/ugd/e73fea_a817a55fa0884f918e60379dc1d7f32a.pdf
    • https://static.usrfiles.com/ugd/18122d_0325e06285684fa5a5734d5b1fea9762.pdf
    • https://static.usrfiles.com/ugd/17beed_60a4a0fdee8143f8b8dca79be26dc765.pdf
    • https://cdn.shopify.com/s/files/1/0438/2723/2918/files/dwr-921_4g_lte_router_port_forwarding.pdf
    • https://cdn.shopify.com/s/files/1/0460/3310/9156/files/osrs_gilded_altar_guide.pdf
    • https://cdn.shopify.com/s/files/1/0459/9634/3455/files/nolovazinoludasitax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000642a.bin
1d393c3ded128811ba8aea187f8fcd9517f4c1dc171e178f754a08e8bc672fd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x642A 4928 bytes
font_01_sfnt_off000074f7.bin
1247bb8ad4c94d606f0160c23577c8f01a85df4c11edde45799df64a57463466		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74F7 10188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.