Malicious PDF — malware analysis report

Static analysis result for SHA-256 31781c00a2e39b37…

MALICIOUS

PDF

129.1 KB Created: 2020-09-04 01:41:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: edfdaf25d32a16f0ec7184ab63cc9ee2 SHA-1: 6dbd72ad09352c9033600bb9a651676a876cef48 SHA-256: 31781c00a2e39b37f23147165b98b3f272bcb6959e82f4f210002098aeada0e1
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to a link farm hosted on static.usrfiles.com, and one critical link to a known malicious redirector at ttraff.club. The document body, though heavily obfuscated, contains text that suggests an urgency lure, such as 'account will be terminated' or 'action required within 24 hours'. The primary malicious URL is ttraff.club, which is likely used to redirect users to further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=beating+around+the+bush+tab+pdf
    • https://cdn.shopify.com/s/files/1/0438/2985/4368/files/76466533892.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/80835258875.pdf
    • https://cdn.shopify.com/s/files/1/0432/6037/9286/files/72626948850.pdf
    • https://cdn.shopify.com/s/files/1/0434/6698/1542/files/54869545384.pdf
    • https://static.usrfiles.com/ugd/856cea_bce0010bf3d544048a5942e48963b951.pdf
    • https://static.usrfiles.com/ugd/f515ca_b035a855a60c4eea9fa2dadb6e19bec8.pdf
    • https://static.usrfiles.com/ugd/9ea91e_81534ba55f5c47bbbbe26cea260a845c.pdf
    • https://static.usrfiles.com/ugd/3d0627_d089ebced36a4486b16256df9723dbd8.pdf
    • https://static.usrfiles.com/ugd/b8c837_3f4f84a6a05a415fadeb236f94690782.pdf
    • https://static.usrfiles.com/ugd/c3f88d_3b742b18c6ba41b7a37582c511fb9ef0.pdf
    • https://static.usrfiles.com/ugd/5e8de6_63329408785f479c839c1db262070d92.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001ba88.bin
962f34b3f3800d4754c44f637ffc419d11292572722961854372d7de69f98115		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BA88 5460 bytes
font_01_sfnt_off0001cd0c.bin
ceebc52be2abbfd571c166d275f46fc2ae82a10a93d9914f80a84efd8027e53b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CD0C 13112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.