Malicious PDF — malware analysis report

Static analysis result for SHA-256 44ab9feb970e822b…

MALICIOUS

PDF

41.0 KB Created: 2020-09-08 12:13:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a724581f0109ce10bfbdf907731f636 SHA-1: e2c937788d9d46d0d6ac0160afe334ee0337b87a SHA-256: 44ab9feb970e822b6b26d4c1198311ea3291a7185a354216b94e5fbe6499618a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass external link farm, with many links pointing to benign-looking PDFs hosted on static.usrfiles.com. However, one critical heuristic firing indicates a direct link to a known malicious redirector at https://ttraff.club/wix?keyword=horse+taming+bdo+guide. This suggests the document is designed to redirect users to malicious infrastructure, likely for phishing or malware delivery, disguised as a guide.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=horse+taming+bdo+guide
    • https://static.usrfiles.com/ugd/b4a829_f29ae4ebbf8b4f2d8ab3bc7ca4a17466.pdf
    • https://static.usrfiles.com/ugd/9374a7_22be87f21d8549e99966f88b19dae0dc.pdf
    • https://static.usrfiles.com/ugd/cd1d52_900be3ebfa4d4abfa910a3fcda57a05c.pdf
    • https://static.usrfiles.com/ugd/b8c837_495b255cf0bb4d7cac6070c91c4eddff.pdf
    • https://static.usrfiles.com/ugd/1479de_b7421be80397450e889bea6196db0fc2.pdf
    • https://static.usrfiles.com/ugd/e5cbe5_f7509beaf2db47a5843836813edaf9e1.pdf
    • https://static.usrfiles.com/ugd/c8683e_4815e891cec340c6bf25b9c21a20af3b.pdf
    • https://static.usrfiles.com/ugd/83e24f_d267fa36066845d0a032c38c2655bec1.pdf
    • https://static.usrfiles.com/ugd/121e37_b949b94be9e84493aec63ac45b633634.pdf
    • https://cdn.shopify.com/s/files/1/0430/1458/6517/files/24432173698.pdf
    • https://cdn.shopify.com/s/files/1/0430/1049/0519/files/duzixawurixagitagep.pdf
    • https://cdn.shopify.com/s/files/1/0432/2148/3687/files/software_craftsmanship_book.pdf
    • https://static.usrfiles.com/ugd/97634b_67c003ffa489428588f3823ed421116a.pdf
    • https://static.usrfiles.com/ugd/1be480_34f4a60192e645d183ee6a61a021365c.pdf
    • https://static.usrfiles.com/ugd/d43733_3e6e292ca8a0430eb53766bb79cda7da.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000638d.bin
e2468a1e9511cf1f637ce5fe3076cae772a3dd918279ff0f68bfe39c10605118		 pdf-font-stream PDF embedded font (sfnt) at offset 0x638D 5212 bytes
font_01_sfnt_off0000752b.bin
452a38acf7eb0ab67d980c29fadf8c36ee2bf5ab8bdd59da8cf72464c00017da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x752B 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.