Malicious PDF — malware analysis report

Static analysis result for SHA-256 3fe2b37e82570b75…

MALICIOUS

PDF

46.9 KB Created: 2020-08-29 06:30:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8188613690c339be236c3e519f9910f6 SHA-1: 53f9c0aa4224ac6a112233116136a162a3b92762 SHA-256: 3fe2b37e82570b75fdc7ce7d82b77ee7cf52a47cb4cad53c8a3fffea87439f78
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to the `static.usrfiles.com` domain, suggesting a link farm or SEO poisoning attempt. One critical heuristic identified a link to `ttraff.com`, a known malicious redirector. The document body, though heavily garbled, contains the URL `https://ttraff.com/wix?keyword=c%25C3%25B3mo+hacer+patatas+dulces+con+pur%25C3%25A9+d`, reinforcing the malicious redirector finding. The primary intent appears to be directing users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=c%25C3%25B3mo+hacer+patatas+dulces+con+pur%25C3%25A9+d
    • https://static.usrfiles.com/ugd/b8c837_6e1408ef79ab4955b5c925b23b367cb1.pdf
    • https://static.usrfiles.com/ugd/b8c837_45aaa70368c748eabbcd910d550aa9b3.pdf
    • https://static.usrfiles.com/ugd/b8c837_7fbfc573936e470abd8866631b406d37.pdf
    • https://static.usrfiles.com/ugd/b8c837_5be36ac1631b4b15bfdcc26c2d20537c.pdf
    • https://static.usrfiles.com/ugd/b8c837_f5d32a56242c40be9b68230ed6fa663c.pdf
    • https://static.usrfiles.com/ugd/b8c837_56c69a133a9e4447b6721566e63020f2.pdf
    • https://static.usrfiles.com/ugd/b8c837_8b2e0677ffdc434289e2fae52a9c2527.pdf
    • https://static.usrfiles.com/ugd/b8c837_35abd24c862d4319b7e29aed266c0f7d.pdf
    • https://static.usrfiles.com/ugd/b8c837_e8d0c0e5084f461da533ea19ba69b03e.pdf
    • https://static.usrfiles.com/ugd/b8c837_0f6adbaeb7cd4742a24e39027182f8a7.pdf
    • https://static.usrfiles.com/ugd/b8c837_417c0ff001e2497caa8b57bf0fc4ca53.pdf
    • https://static.usrfiles.com/ugd/b8c837_31abda09386c4690a9519d8b20c6ffb2.pdf
    • https://static.usrfiles.com/ugd/b8c837_0dc2bb375e19499ba24623f6837afb66.pdf
    • https://static.usrfiles.com/ugd/b8c837_7471b1917eb94287b999ede0c3e7c742.pdf
    • https://static.usrfiles.com/ugd/b8c837_db0f21ed758f4bd0b9a393ee819e4285.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000744e.bin
da504a7f8b1ed01299d93c59d4f8147c469064b089fbe8b830f5f04616d13f90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x744E 5496 bytes
font_01_sfnt_off0000863b.bin
818f82f8953d92231a2ccc9f0d356f3dd9cd1592897f59b2050eae659c7d2a42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x863B 11908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.