Malicious PDF — malware analysis report

Static analysis result for SHA-256 41e4e9b17869309e…

MALICIOUS

PDF

56.8 KB Created: 2020-08-30 00:09:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6879b5d4d6a13c26bf6f262c3d78482b SHA-1: 0a64bb6f1f0524f91c52d0add6f9af44127269bb SHA-256: 41e4e9b17869309e632480be2e1acb0a2f2bafd72e896b5b13865b4586c3446a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=a+first+course+in+probability+9th+edition+pdf+free+download'. This URL is presented within the document body, disguised as a link to download a textbook. The file also exhibits characteristics of a PDF SEO link farm, with numerous links to external PDF files, many hosted on 'static.usrfiles.com'. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=a+first+course+in+probability+9th+edition+pdf+free+download
    • https://static.usrfiles.com/ugd/b0b521_f7edc04f93b14bd4b8cd6df5aa5f4d11.pdf
    • https://static.usrfiles.com/ugd/b8c837_31facdb28ae3470c841cfb5e3d84d451.pdf
    • https://static.usrfiles.com/ugd/cf79db_c37bf477c4344fe885a3b1cf936eb32a.pdf
    • https://static.usrfiles.com/ugd/cf79db_e5230e54806a484ca49cbf4f26a450d4.pdf
    • https://static.usrfiles.com/ugd/e2f7e1_4087146ff92d46fa8036103dbd3800c1.pdf
    • https://static.usrfiles.com/ugd/b8c837_a1befd1435fb456193bef9b441353e4c.pdf
    • https://static.usrfiles.com/ugd/b8c837_4a5a2267bc9740bb8cd25fe7ebae15f5.pdf
    • https://static.usrfiles.com/ugd/b8c837_e02019584a954817afa1533844b0729b.pdf
    • https://static.usrfiles.com/ugd/3b0c81_3232490750b447e8b2faa2fdf26dfbac.pdf
    • https://static.usrfiles.com/ugd/b8c837_1912008e4c8546aa9b30955685f1136e.pdf
    • https://static.usrfiles.com/ugd/0c268c_f1b0c58ffdcc4a7da4b8685fd8baafe2.pdf
    • https://static.usrfiles.com/ugd/b8c837_97715f0395ef4dd58396046bfa7ab6f4.pdf
    • https://static.usrfiles.com/ugd/b8c837_03d499f51e7b4a1eb8ad2d3b9e66bfb0.pdf
    • https://static.usrfiles.com/ugd/69b86f_e9f22e3c997c4bdbb71628cfde73274c.pdf
    • https://static.usrfiles.com/ugd/b8c837_d5015d7093324947bdb15965c442a8df.pdf
    • https://static.usrfiles.com/ugd/b8c837_ff99d61fcb7346d69b9b03948866c7bd.pdf
    • https://static.usrfiles.com/ugd/b8c837_2834bcfd68bd46e392f192ff386ad85c.pdf
    • https://static.usrfiles.com/ugd/49be48_80addb10393e4008a47b30c629f526d9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073a6.bin
2386068f7a73a9f1c684ba6296c5021819071ca54571ed7fff7ef555150aac7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73A6 1736 bytes
font_01_sfnt_off00007c0d.bin
b3d10dd61d050bdbc5566bdf0150f086db38e1d4ce07b4812dcca5f5b4d4241b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C0D 5720 bytes
font_02_sfnt_off00008f88.bin
4bde56ef05c8db19da3fc7af8bfa41c5671d5d35e8905afa1219251dce202267		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F88 15236 bytes
font_03_sfnt_off0000bfed.bin
01b046ac3d3bdb9099885b0d611edf51531dfad14e3bdf91fc6f50a794df71fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBFED 16140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.