Malicious PDF — malware analysis report

Static analysis result for SHA-256 30f286d584e0bdd9…

MALICIOUS

PDF

43.4 KB Created: 2020-09-17 12:46:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 952b36df8aea1bdf20763705cc67aad8 SHA-1: 58223c292484bb2f7ca85a7c1381b61d8ec0445f SHA-256: 30f286d584e0bdd9f19954478a9c84de0d8bcc4e83ed34cc0ffe0bfa440a741c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to a high density of embedded links, a common tactic for distributing malware or conducting phishing campaigns. One critical heuristic firing indicates a link to known malicious redirector infrastructure, specifically 'https://ttraff.club/wix?keyword=lux+one+direction+godfather'. The document body, though heavily obfuscated, also contains this URL, reinforcing its malicious intent. The presence of numerous other embedded URLs suggests a link farm designed to overwhelm security measures or distribute payloads across multiple domains.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=lux+one+direction+godfather
    • http://figenipe.ddjohnsonassociatesllc.com/uploads/1/3/0/8/130814579/1931964.pdf
    • http://files.nicolereddingtonart.com/uploads/1/3/1/0/131070325/kebesusami.pdf
    • http://files.eileenmshinners.com/uploads/1/3/0/7/130776757/f9592.pdf
    • http://files.alzubilaw.com/uploads/1/3/2/6/132683017/9351123.pdf
    • http://files.stjohnscoopersburg.org/uploads/1/3/2/6/132681415/fc0ff4d395073b.pdf
    • http://fibinuro.debshill.com/uploads/1/3/0/8/130874642/8892230.pdf
    • http://files.sunnybankanglican.com/uploads/1/3/1/4/131453253/galipete_wudajuko_xozab_nizesunepugum.pdf
    • https://981325f2-0295-4af6-a6ba-cf315fbe5d05.filesusr.com/ugd/8e9e2f_bc60643573a34dec8fa3fec8c411cc44.pdf?index=true
    • https://3a8687ec-9628-404a-9b2a-bd310fec1810.filesusr.com/ugd/405339_a716df50c0c842da87537a59ce535934.pdf?index=true
    • https://71feb842-2316-4476-b9bb-14038bfc4642.filesusr.com/ugd/4aae87_c5122a32e67548028482301ceb4461ad.pdf?index=true
    • https://5a9777c0-60ef-452d-beb6-bda9daccbb7d.filesusr.com/ugd/1715bf_5e9f7a1d32b34ee8bbd7c9a7856a050c.pdf?index=true
    • https://b45a73e8-f20c-482b-afad-82c4351f419f.filesusr.com/ugd/6a22cb_81c5d8aaef094ff98df0cd9c031a035b.pdf?index=true
    • https://8bd31aab-1cd9-4584-acd0-22a7f6ec12b0.filesusr.com/ugd/0582e0_e4072093891646118d332af5e068c147.pdf?index=true
    • https://bed973d0-ca42-4351-b2ab-cf6658c08ac5.filesusr.com/ugd/3ed44c_a88e5b876d9246c0a189854998191229.pdf?index=true
    • https://7eedaa87-c12a-40a1-8412-2501d0449535.filesusr.com/ugd/02631b_aa5dd933db8c41eaac74465c3e72de82.pdf?index=true
    • https://803002ff-2137-4dd9-8755-29643f2d8905.filesusr.com/ugd/d90490_6f2519407afe4269b16dcfc13cbbf9bf.pdf?index=true
    • https://a7898eb8-c20a-48f4-a39e-674d3bc61a8f.filesusr.com/ugd/f1780b_7f4175d94e9f4ece801583174a0039f5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000634d.bin
e65dc9b886fcc761adb45b769ae1f4708c232b742dd202a6092f30a3e5ca86c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x634D 5084 bytes
font_01_sfnt_off0000749f.bin
2f4f640456f9608a52cacec7e5957e1c52d2092821c4ffba8bf6bcf01ffee3a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x749F 13792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.