Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d2b16878300a4ca…

MALICIOUS

PDF

96.2 KB Created: 2020-08-31 09:59:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69399af869968c903d014bdd3d9a281d SHA-1: 39a4c5814c40b3de70a5a91a36ac2abf56433442 SHA-256: 3d2b16878300a4cafa04c19ff47aaa4c7d2f630604d4b28c83914d3293f76642
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=aplicaciones+de+las+coordenadas+polares'. This indicates an attempt to redirect the user to a malicious site. The document also contains a large number of embedded external links, characteristic of a link farm, with 'https://static.usrfiles.com/ugd/b8c837_8f62fb131c4d48d3b25094930b6eda38.pdf' being a prominent example. No scripts were extracted, but the presence of these links suggests a phishing or redirection attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=aplicaciones+de+las+coordenadas+polares
    • https://static.usrfiles.com/ugd/b8c837_8f62fb131c4d48d3b25094930b6eda38.pdf
    • https://static.usrfiles.com/ugd/b8c837_58ad093217334ca2b9ab7adebf70c51e.pdf
    • https://static.usrfiles.com/ugd/696b8a_accdbdd5139840ccbb12b0195f3a22f1.pdf
    • https://static.usrfiles.com/ugd/99afdc_5074850781dd4895964f3f2af015a24b.pdf
    • https://static.usrfiles.com/ugd/e4a001_d65ef188fb184957b167b4c6f1defa2b.pdf
    • https://static.usrfiles.com/ugd/538d67_102a15c5821245ba8ea2aec691d0b140.pdf
    • https://static.usrfiles.com/ugd/895bef_f0a946654af24ca5805e02c7b5faec62.pdf
    • https://static.usrfiles.com/ugd/b8c837_84d57bfd287a4c5ab69d3ef4287faab9.pdf
    • https://static.usrfiles.com/ugd/8c0e65_e0057a4b15bf482dbc4cecc62ef0763e.pdf
    • https://static.usrfiles.com/ugd/7f46b5_5ec96ab8e4684b9b9262d421c1b1b68d.pdf
    • https://static.usrfiles.com/ugd/b5472a_b9fe71d347ec470bb2d66bb2ce42a7d1.pdf
    • https://static.usrfiles.com/ugd/3dd68e_eaf64828ddfd4e9ca9fd14df0ca2705c.pdf
    • https://static.usrfiles.com/ugd/b8c837_e140007085bc436899dd611ba47cae93.pdf
    • https://cdn.shopify.com/s/files/1/0431/0342/0570/files/porunga_dokkan_set_3.pdf
    • https://cdn.shopify.com/s/files/1/0432/4940/2024/files/south_african_national_anthem_piano_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0433/5013/0846/files/cease_and_desist_format.pdf
    • https://cdn.shopify.com/s/files/1/0429/2483/4982/files/78845627075.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f068.bin
1e7a476bbf12af1702a44feebabf57a5cdc503ca30ba063db7d9d44c1b3e4829		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF068 6312 bytes
font_01_sfnt_off0001029d.bin
f563829d07edd912b0b2bfba9a2ea61d1330a57b84c83db1c89739549e5e4391		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1029D 5056 bytes
font_02_sfnt_off0001138c.bin
aa6c8fe7e4958477d55858bf6db5a08750ed3ed5bcfe29d2090a9316a62a8816		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1138C 6300 bytes
font_03_sfnt_off000122e8.bin
139509ddae6fd8027db0f62525373b719fc5903dbd5e8a286c15f4bf1cc4e606		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122E8 18228 bytes
font_04_sfnt_off00015b6e.bin
26578dbbbd80dd6294a0374a0c1b327379f8aa86736cf42040ed0ffeb28bd99c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B6E 16180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.