Malicious PDF — malware analysis report

Static analysis result for SHA-256 41f0628b4067f35b…

MALICIOUS

PDF

43.0 KB Created: 2020-08-31 05:44:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79c1656ea73cb8b110215fa16a34357f SHA-1: 39ebae98068ca631e669b0f40faed299bc208b0f SHA-256: 41f0628b4067f35b36e2818b7b96627d9490afc692a681ddf327af8ca05edec5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' indicate the document's primary purpose is to host and distribute links to potentially harmful content. The embedded URL 'https://ttraff.cc/wix?keyword=%2525E5%2525A5%252587%2525E7%252595%2525B0+%2525E6%252581%2525A9%2525E5%252585%2525B8+%2525E6%2525AD%25258C%2525E8%2525A9%25259E' is flagged as a malicious redirector, suggesting it leads to a malicious site. The large number of links hosted on 'static.usrfiles.com' further supports the SEO link farm tactic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=%2525E5%2525A5%252587%2525E7%252595%2525B0+%2525E6%252581%2525A9%2525E5%252585%2525B8+%2525E6%2525AD%25258C%2525E8%2525A9%25259E
    • https://static.usrfiles.com/ugd/a2e20a_d0b48de34e8f407fbc79df5df037c65b.pdf
    • https://static.usrfiles.com/ugd/f84671_37797656a6734748949b99ce574e1648.pdf
    • https://static.usrfiles.com/ugd/97493d_9dd0a02004eb434bbda1ce0bb7036d6a.pdf
    • https://static.usrfiles.com/ugd/2813e2_f9f7f31185ae493e835b945ad5b877c8.pdf
    • https://static.usrfiles.com/ugd/83d902_79260b6ebc654f6ab77d17d80f688a17.pdf
    • https://static.usrfiles.com/ugd/3ceeb9_dec93727097d4c2889317faa6084d79e.pdf
    • https://static.usrfiles.com/ugd/dcfb95_a15c102656ed449cafe6fb5c6abcd84c.pdf
    • https://static.usrfiles.com/ugd/80bfa9_e63a5ddb94e94475bf6b89dbd163db35.pdf
    • https://static.usrfiles.com/ugd/99afdc_6921449fb19b49d6b24c8d4db078d959.pdf
    • https://cdn.shopify.com/s/files/1/0437/6225/3982/files/adestramento_inteligente_completo.pdf
    • https://cdn.shopify.com/s/files/1/0431/9661/2768/files/6773960285.pdf
    • https://cdn.shopify.com/s/files/1/0438/5370/9472/files/switch_axe_phials.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gekisemegudifusoledo.pdf
    • https://static.usrfiles.com/ugd/b8c837_98f4388ee5e94d30af131694b62b071d.pdf
    • https://static.usrfiles.com/ugd/097bd5_332639d30eb244348af29b3e1c59619c.pdf
    • https://static.usrfiles.com/ugd/b77b08_0bed51d0e3364ac4996815092e03b02c.pdf
    • https://static.usrfiles.com/ugd/f1780b_6ae2f862b8924d38ae1446d069849830.pdf
    • https://static.usrfiles.com/ugd/003b86_e239630eef5f42dab7ba371eca94e923.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d28.bin
d3afd65ff62d532bfcf47d6fe5c61b048b1fdcf0012f8660f8a907c993f4ee2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D28 5144 bytes
font_01_sfnt_off00005e94.bin
ee8aacfb41cdd4501d06f0c2830a21efaabd045d234252e251b431f938902e4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E94 4580 bytes
font_02_sfnt_off00006e4b.bin
dbff9e152aad335916b2bee87cd027f069b59f9160570467db14ecf46f1c4e85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E4B 4068 bytes
font_03_sfnt_off00007c27.bin
1e24eeb7e306ff8ec33655ca29ec02721e83057780758478faa6cb043048d338		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C27 9616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.