Malicious PDF — malware analysis report

Static analysis result for SHA-256 309360130747174d…

MALICIOUS

PDF

45.2 KB Created: 2020-08-31 03:48:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 454d9dd03012f7e2d233992050413b22 SHA-1: 2453b146883f328357172c57472b5ce237fb25ee SHA-256: 309360130747174db0fe5a1acd83169cece3d28c2d944e0c7873bfe3eed70aed
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic match for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=best+blender+for+the+money'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with 'https://static.usrfiles.com/ugd/b8c837_8fd8ef06d5e1496ba36508712f43b540.pdf' being the first identified. The document body, though heavily obfuscated, contains the same URL, suggesting a lure to a potentially malicious site under the guise of product information.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=best+blender+for+the+money
    • https://static.usrfiles.com/ugd/b8c837_8fd8ef06d5e1496ba36508712f43b540.pdf
    • https://static.usrfiles.com/ugd/20d83a_d19f22e8517d4e9eb7992192154a1bf1.pdf
    • https://static.usrfiles.com/ugd/9ff9b8_7bdfd9be30524dbcb7896b3cdbac5429.pdf
    • https://static.usrfiles.com/ugd/b8c837_f5457bbe5509467abd543692feda57f7.pdf
    • https://static.usrfiles.com/ugd/b8c837_c720883fa70a4b16aa28daeb13e60fa9.pdf
    • https://static.usrfiles.com/ugd/eda9ba_18d7b7e812c04bd9a7e89ae3558bc24d.pdf
    • https://static.usrfiles.com/ugd/a01749_d2a48dc87bc34657802527763841f2cf.pdf
    • https://static.usrfiles.com/ugd/b8c837_48151c44e7f5418980e2c23affea03ec.pdf
    • https://static.usrfiles.com/ugd/93c935_2043adf89f9f4589a803cae7b73e6bb5.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/puxatofutedixa.pdf
    • https://cdn.shopify.com/s/files/1/0440/6027/8936/files/bibutifep.pdf
    • https://cdn.shopify.com/s/files/1/0428/5172/9574/files/jotavisikotuju.pdf
    • https://static.usrfiles.com/ugd/b8c837_a1ae12a515684e9cbe0ba16862820ffa.pdf
    • https://static.usrfiles.com/ugd/b8c837_0cbf90df8ae845fba507f72abba8354c.pdf
    • https://static.usrfiles.com/ugd/b8c837_6aecdae74ae14960af658b92618a68f8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/a0

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071c7.bin
d9d23acdd29593131abdbd78bdea5dbd58d603505695db2a9c32df133584c01c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71C7 5228 bytes
font_01_sfnt_off0000835e.bin
c4a22da9410a77b9cc63ff3155f73243502a619f2ce8a57e1adc7ab58dc7a469		 pdf-font-stream PDF embedded font (sfnt) at offset 0x835E 10680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.