Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f80d57a310b93ac…

MALICIOUS

PDF

44.2 KB Created: 2020-08-29 06:57:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5999161978b2bfbb5622de3ec52a55cc SHA-1: 43f43f9d4ef38516da3cce535d92ff869035c3a5 SHA-256: 3f80d57a310b93ac927d52e88b1ec81593d24b24a26f951afc42c26c18e4501b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with one identified as a known malicious redirector. The document body, though heavily obfuscated, also contains the URL 'https://ttraff.com/wix?keyword=attraction+movie++in+telugu', suggesting a lure to a potentially malicious site. The presence of numerous links points towards a link farm or phishing attempt designed to lead users to harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=attraction+movie++in+telugu
    • https://static.usrfiles.com/ugd/b8c837_010506e8282e497f8c70d9024c0094db.pdf
    • https://static.usrfiles.com/ugd/b8c837_9fc0f95631f744759b2ac730f477f9fc.pdf
    • https://static.usrfiles.com/ugd/b8c837_766294f9829343e69533363d1e0b2827.pdf
    • https://static.usrfiles.com/ugd/b8c837_90c06be288614fed931fe8538f3146cb.pdf
    • https://static.usrfiles.com/ugd/b8c837_d7be3290c59e42d39fbaece658f1d0a6.pdf
    • https://static.usrfiles.com/ugd/b8c837_2ec6fa03b22d487ca22ac3d8f9f580e4.pdf
    • https://static.usrfiles.com/ugd/b8c837_66257352828f40de9e1ca348b0d99223.pdf
    • https://static.usrfiles.com/ugd/b8c837_35eddabeec164694aa16ed90af27fc0c.pdf
    • https://static.usrfiles.com/ugd/b8c837_5534b1fd798b4bd2ab91d8ec39330eb0.pdf
    • https://static.usrfiles.com/ugd/b8c837_8ded60dd0c584327880d28d0f3112874.pdf
    • https://static.usrfiles.com/ugd/b8c837_c5e70ac7081e4bd6b0dd057354b0faff.pdf
    • https://cdn.shopify.com/s/files/1/0428/7614/1731/files/33523954869.pdf
    • https://cdn.shopify.com/s/files/1/0432/6827/6384/files/jerukosef.pdf
    • https://cdn.shopify.com/s/files/1/0428/5300/7516/files/nba_2k19_spurs_playbook.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fa1.bin
f12a38e01c7685fb27b856f78d13b419fa7f6ab872b0a19cec6a9311c81f7730		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FA1 4988 bytes
font_01_sfnt_off0000807a.bin
1a9b72883e7edf31cad94b5b46970851820fb111e0825470b2d8bb9752dff66a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x807A 10476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.