Malicious PDF — malware analysis report

Static analysis result for SHA-256 3beb05cf8ef57852…

MALICIOUS

PDF

69.9 KB Created: 2020-09-01 17:54:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 848fdec584310859a012bfde2374555c SHA-1: a65623a5e4b122bb5e35569cc3e0706068bc357a SHA-256: 3beb05cf8ef57852b3817aa9fa8f3219956f4b80390fe32404992cc9912dd912
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=business+process+reengineering+examples+pdf'. This URL is embedded within the document body, suggesting a lure to trick users into clicking it. The document also contains a large number of external PDF links, many hosted on 'static.usrfiles.com', indicating a potential link farm or distribution mechanism.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=business+process+reengineering+examples+pdf
    • https://static.usrfiles.com/ugd/b8c837_b29f45de7f814aa08cb9222f53663492.pdf
    • https://static.usrfiles.com/ugd/0779a3_06685191bb974896a849e05541c5ddfa.pdf
    • https://static.usrfiles.com/ugd/9b7d8a_cdc7027e21bb45008fc23c8d64c1570a.pdf
    • https://static.usrfiles.com/ugd/b8c837_e32663d164b94940a19c6eeb3fa24506.pdf
    • https://static.usrfiles.com/ugd/b8c837_43c840659fd2480593c52aa8e440cea8.pdf
    • https://static.usrfiles.com/ugd/7baf93_32d9725231504c3c9c569c4f2434a60f.pdf
    • https://static.usrfiles.com/ugd/7f16bd_a765fe7ad7204006a05dac20a21f3b78.pdf
    • https://static.usrfiles.com/ugd/b8c837_fd518353262340a5935270e5658c08b8.pdf
    • https://static.usrfiles.com/ugd/b8c837_404c24a989354ec29ef1d2ea9a374377.pdf
    • https://static.usrfiles.com/ugd/b8c837_13949a42db8247f8b44fcf2be7f40b70.pdf
    • https://static.usrfiles.com/ugd/1b8612_c2c32e15b5464eb4903e8ad5ac18eb32.pdf
    • https://static.usrfiles.com/ugd/87a178_3301582c5000470fb44d28748a7ba34b.pdf
    • https://cdn.shopify.com/s/files/1/0429/8450/5498/files/bepuxoziwufaletinem.pdf
    • https://cdn.shopify.com/s/files/1/0427/7442/9852/files/towolevezeziko.pdf
    • https://cdn.shopify.com/s/files/1/0432/9455/6320/files/math_worksheets_on_slope_and_y_intercept.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d2f2.bin
da4d9b5fb0a54b04725f5319214c64e82ae5af8759a3be2e374828992cdb2c12		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD2F2 5592 bytes
font_01_sfnt_off0000e5ef.bin
26f130b75f127eb309753ea970cef85d8a98f7fe5dfb8f56118cbc9906a609cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5EF 10716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.