Malicious PDF — malware analysis report

Static analysis result for SHA-256 362cbccd7d7690c4…

MALICIOUS

PDF

33.7 KB Created: 2020-08-30 15:59:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 968ef7218ad4e14f27dd00d8f80999d4 SHA-1: eed94a29538d21433716354319fd0bcb08ed8c94 SHA-256: 362cbccd7d7690c4158cfb0b9f5415f5416ae1542050f639b73162b4e28db5e7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of the primary links, however, directs to ttraff.com, which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains text related to a personal trainer manual and the malicious URL, suggesting a lure to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=ace+personal+trainer+manual+5th+edition
    • https://static.usrfiles.com/ugd/6116da_e22681460e764c699409a4e9ffc03ad8.pdf
    • https://static.usrfiles.com/ugd/c7ef1a_bb048091ec8f45c1a33460fe0639fa40.pdf
    • https://static.usrfiles.com/ugd/2f3ac6_8be2a51504da4470b20cbaf4daf116d6.pdf
    • https://static.usrfiles.com/ugd/b8c837_4aa53e83b485432092f249e13e83c360.pdf
    • https://static.usrfiles.com/ugd/6350c7_58eca1a9794d4a82b74fde5c2dbaf3a5.pdf
    • https://static.usrfiles.com/ugd/73cb9e_1afd13dded384c5c92f0b0a655ac2ff0.pdf
    • https://static.usrfiles.com/ugd/b8c837_01ea57b9614d43c18c39151d72285354.pdf
    • https://static.usrfiles.com/ugd/b8c837_28fac90fa32549fab076ee66f0d9fae5.pdf
    • https://static.usrfiles.com/ugd/b8c837_c26904b176ba4d1dbcdc386cbf40fb12.pdf
    • https://static.usrfiles.com/ugd/9e41f0_6f56b5bc739e42d59360231e7517aa1d.pdf
    • https://static.usrfiles.com/ugd/b8c837_814beba33fbf4176a8a69cdb8eead0bf.pdf
    • https://static.usrfiles.com/ugd/b8c837_e715faea046f4d9eb43389ae93912a61.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004523.bin
099cbebd9bbd7e252471ff8305a27139c48a6da9b21d030e3c4e613e7517b12a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4523 5428 bytes
font_01_sfnt_off0000575e.bin
fdb403ed80eba15d5b52750824af2646c14db37b042b11e732d9110a653fb609		 pdf-font-stream PDF embedded font (sfnt) at offset 0x575E 10216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.