Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a7a9219f3002a36…

MALICIOUS

PDF

38.4 KB Created: 2020-08-31 03:42:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 87757a47d9876623f11ad8d091d43f44 SHA-1: 6245b62bf00d61f754acad7cac74c1536857becf SHA-256: 3a7a9219f3002a368d8f9bcadaeb674ef83e70745c6f2e0b4d1bd1eb24ee4c32
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=tres+veces+tu+3msc+pelicula+estreno'. The document body, though heavily obfuscated, contains this URL and other links to PDF files hosted on 'static.usrfiles.com'. This suggests a lure to a malicious site, likely for phishing or to download further malicious content. The presence of a link farm further supports the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=tres+veces+tu+3msc+pelicula+estreno
    • https://static.usrfiles.com/ugd/ce0e6d_adcfaa4c7e1f464ab45cf8c873603353.pdf
    • https://static.usrfiles.com/ugd/f7fbc8_906591c065624fb68355c9bede256a73.pdf
    • https://static.usrfiles.com/ugd/30e015_518505af869e403f8e9a44ef9e51ddd5.pdf
    • https://static.usrfiles.com/ugd/6cfc61_f73f36c2a1504934beb481a29006803a.pdf
    • https://static.usrfiles.com/ugd/6d59ab_c48b430f0b584c77a9de7a57687da1c9.pdf
    • https://static.usrfiles.com/ugd/96768c_17f874786c5644ae9cf63de39604f899.pdf
    • https://static.usrfiles.com/ugd/ac72e0_5a619139c0854cd8861c4cbc124362df.pdf
    • https://static.usrfiles.com/ugd/5899d5_a0c530855f9d43f191663f7747cf1b0a.pdf
    • https://static.usrfiles.com/ugd/b8c837_7450f0a71b8442cc90548803a306cbe0.pdf
    • https://static.usrfiles.com/ugd/e2f7e1_8ca181b4d190464eb7ac144f475e60f5.pdf
    • https://static.usrfiles.com/ugd/097bd5_8d93e5c9f6454ec28addc84fad9a6749.pdf
    • https://static.usrfiles.com/ugd/1f2646_52c5e89dc8c5406bb412a8dcbce060ce.pdf
    • https://static.usrfiles.com/ugd/b8c837_260a36ff4bd146d7914a3785e69143f1.pdf
    • https://static.usrfiles.com/ugd/b8c837_16e7d89d06c64bd5ab6d66e6ba37cc17.pdf
    • https://static.usrfiles.com/ugd/b8c837_b30317aaa5564d66978070745cb83036.pdf
    • https://static.usrfiles.com/ugd/ab0441_61f8906013514af2ad0e0a1341dabaa0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000556e.bin
eebd735ad53a16db69730077b4d4bbf112665aedc79fa82e35e608bbe1eaa6c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x556E 5252 bytes
font_01_sfnt_off00006737.bin
4daf2215ccb474eb5653d3fd0e566216b8de7da01bbb4705ca0d03e684024e4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6737 10984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.