Malicious PDF — malware analysis report

Static analysis result for SHA-256 35dc8c08e9a2cb81…

MALICIOUS

PDF

40.7 KB Created: 2020-08-30 04:19:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4838d76b7cb0d1a78edae46ccb675acc SHA-1: eb798c5a5abe54ffe8515c08ad7d6bb5e5ff8e3b SHA-256: 35dc8c08e9a2cb811576df3a8bf78a81b96b4885941bebc70a9108403c9bcf36
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.cc/wix?keyword=besteker+hd+1080p+user+manual'. The document body, though heavily corrupted, contains text fragments suggesting it is a user manual, which is a common lure. The presence of numerous external PDF links, many pointing to 'static.usrfiles.com', indicates a link farm, likely to improve SEO for the malicious redirector. No scripts were extracted, but the primary attack vector appears to be social engineering via a deceptive document.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=besteker+hd+1080p+user+manual
    • https://static.usrfiles.com/ugd/4d400c_c1df158bbb9348e0a8d745fdef6d10ef.pdf
    • https://static.usrfiles.com/ugd/9219f8_2f18e461f86e4c4796bedac37c333639.pdf
    • https://static.usrfiles.com/ugd/5899d5_29ddb25cdef244d9a20773880b9d09d2.pdf
    • https://static.usrfiles.com/ugd/5ecadc_0b7869d5225949c89015cf2f17deaee2.pdf
    • https://static.usrfiles.com/ugd/696b8a_3ab76ef2ccff432f8d15b74e6817ad1e.pdf
    • https://static.usrfiles.com/ugd/b8c837_c8b5fbe519dd4d489f77557477427c74.pdf
    • https://static.usrfiles.com/ugd/9d869b_1b64d63df8384ce6817b0790aa57b406.pdf
    • https://static.usrfiles.com/ugd/e5a943_613cb16dfde54eb6b013621920ccb8d8.pdf
    • https://cdn.shopify.com/s/files/1/0427/6797/4556/files/dowawivanitiz.pdf
    • https://cdn.shopify.com/s/files/1/0430/2903/7219/files/46302149333.pdf
    • https://cdn.shopify.com/s/files/1/0431/5843/8056/files/37373067432.pdf
    • https://cdn.shopify.com/s/files/1/0440/6214/6710/files/music_mp3_ringtone.pdf
    • https://cdn.shopify.com/s/files/1/0427/4746/1788/files/36501345597.pdf
    • https://cdn.shopify.com/s/files/1/0436/9121/2950/files/metro_rio_de_janeiro_mapa.pdf
    • https://cdn.shopify.com/s/files/1/0428/9314/8313/files/woxobubamidoxarupamobox.pdf
    • https://cdn.shopify.com/s/files/1/0433/9345/0134/files/60030893220.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e37.bin
cc8be17f2cd870bccc3a2a35aacc983f99200d5d94a31c0cfb9369acf09bde30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E37 5700 bytes
font_01_sfnt_off0000717d.bin
f33003416ae73b10d0c29122d3d4030e489688db66253d42a82a9bee2f67a0a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x717D 10760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.