Malicious PDF — malware analysis report

Static analysis result for SHA-256 361f46df6034904b…

MALICIOUS

PDF

41.1 KB Created: 2020-08-30 18:50:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8b3f7df36fffdf35233f15eb9bb2feb5 SHA-1: ee689538c0d5484030ecd4678cda7385ae34e9d1 SHA-256: 361f46df6034904bae9a3f34e6fb94b68ec7b9e06c4199a075a3ab5051b2f960
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=licence+guitar+pro+7'. This indicates the document is designed to trick users into visiting a malicious site by disguising the link as a software license. The presence of a large number of external PDF links, many hosted on 'static.usrfiles.com', suggests a link farm or SEO poisoning attempt to increase the visibility of the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=licence+guitar+pro+7
    • https://static.usrfiles.com/ugd/b8c837_01ea57b9614d43c18c39151d72285354.pdf
    • https://static.usrfiles.com/ugd/9c0842_8e3927f7fe2948dca15c9616dcc56088.pdf
    • https://static.usrfiles.com/ugd/7d21c0_2813d0e2a9ba450681e93a660848f9cc.pdf
    • https://cdn.shopify.com/s/files/1/0432/0509/9675/files/hdonline._is_apk.pdf
    • https://cdn.shopify.com/s/files/1/0431/7990/1096/files/brinks_digital_deadbolt_user_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/8609/4248/files/wesux.pdf
    • https://cdn.shopify.com/s/files/1/0440/5110/3894/files/66920337607.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nozawilod.pdf
    • https://static.usrfiles.com/ugd/c4ccc4_4b657fc92bc14bafb6ed737220e3c63a.pdf
    • https://static.usrfiles.com/ugd/b8c837_b57974b2930545c6a1227f7591df3bd7.pdf
    • https://static.usrfiles.com/ugd/7f46b5_8e5579e4fa4b4aca930e61e9db8d8f1f.pdf
    • https://static.usrfiles.com/ugd/4b874d_df8431e881fb455da6df617245349ff6.pdf
    • https://static.usrfiles.com/ugd/3f80ec_0bc10030f1a44aa4ba67ebde026c5a97.pdf
    • https://static.usrfiles.com/ugd/824332_63687499a2454652825dbc53916b35d0.pdf
    • https://static.usrfiles.com/ugd/921909_7de6cf9f2798432fa3063202e3719d91.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064d2.bin
6ce54a409412b9b2fd66f8252c42cdd580d0eb91346dde925e76214349862c1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64D2 4912 bytes
font_01_sfnt_off000075a1.bin
99cf63001a1a47e22b9411ab5084c49a9000d54a03c9dcb816b961610b0e7e4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75A1 9992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.