Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b9d05cb2d65e747…

MALICIOUS

PDF

43.7 KB Created: 2020-09-01 21:17:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb364a80f83778715e3739050133e903 SHA-1: a13fd09bf0f25427d9fe5aa0acd45b6190c15360 SHA-256: 3b9d05cb2d65e74723c0c4fb0171af733a600bff7857c76e3a4a6d1dee9a5ac1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=charlotte%2527+s+web+worksheets+free'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, many pointing to 'static.usrfiles.com'. The document body, though heavily corrupted, appears to be a lure related to 'Charlotte's Web worksheets', intended to encourage clicks on the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=charlotte%2527+s+web+worksheets+free
    • https://static.usrfiles.com/ugd/a6e5e9_68b59445a6fd4211b46833441afb6118.pdf
    • https://static.usrfiles.com/ugd/e1d12c_30a96e4f0b524daf9c0520bd554e8cd7.pdf
    • https://static.usrfiles.com/ugd/227d0f_90951e67dfb6422fa2174d12c8a41f53.pdf
    • https://static.usrfiles.com/ugd/d54300_4b6951dc932d476eb1eb35f15f90ffaa.pdf
    • https://static.usrfiles.com/ugd/18122d_81f7cf77122441b7a4b8b5f8623bc83f.pdf
    • https://static.usrfiles.com/ugd/b8c837_695ba211d7f043d898ec67f7cbd7a68f.pdf
    • https://static.usrfiles.com/ugd/74e905_b6b5977f116e49c4ad623ef5054dbd19.pdf
    • https://static.usrfiles.com/ugd/d162e3_758a657ab9e74b31b7f022c8b77dc1c8.pdf
    • https://static.usrfiles.com/ugd/909b15_59ea9730af0f441cb834ff534efab1c2.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_b4cad6292bec42ec80226d804768e8f3.pdf
    • https://static.usrfiles.com/ugd/e745be_ceeea01e0c944068aa2ffd0f0a8d30ae.pdf
    • https://static.usrfiles.com/ugd/b8c837_d7be3290c59e42d39fbaece658f1d0a6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fdb.bin
32eaaf39d1b84e9b5647609b3bd859c2aa96ef9379b5ed5eec28684ab8a15fbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FDB 4844 bytes
font_01_sfnt_off00007088.bin
1d52531d36290af35e5f967f5e06d3a0374bce5c7d1883e907a06d8e224952e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7088 10316 bytes
font_02_sfnt_off000093e8.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93E8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.