Malicious PDF — malware analysis report

Static analysis result for SHA-256 4632eaf6fe9b8029…

MALICIOUS

PDF

41.1 KB Created: 2020-08-29 17:09:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 70f55c8ed69ac6074baace3baaf307bf SHA-1: 99f79b9340f3011f077f02ed882f3e6e4add69a2 SHA-256: 4632eaf6fe9b8029a542e119dd386079adee813fbe90be16f1515c9f47e23b21
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=freemie+mobile+hands+free+breast+pum'. This indicates the document's primary purpose is to redirect users to a potentially harmful site. Additionally, a heuristic for a PDF link farm was triggered, with numerous external links embedded in the document, many pointing to static.usrfiles.com. The document body, though heavily corrupted, contains the same malicious URL and a benign PDF URL, reinforcing the lure. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=freemie+mobile+hands+free+breast+pum
    • https://static.usrfiles.com/ugd/b8c837_99fad0fd65e749edbd69c1ff0b3a1c86.pdf
    • https://static.usrfiles.com/ugd/b8c837_cfa4bfd4d8014aec97212927136faeb3.pdf
    • https://static.usrfiles.com/ugd/0aab01_bce8a558ab064895aa368838e6f04a47.pdf
    • https://static.usrfiles.com/ugd/79cb75_a065a3d5ff9e4304af3ddd25e0fa98d7.pdf
    • https://static.usrfiles.com/ugd/b8c837_aa5c44befe4d4b07b2d628e97b3e0e00.pdf
    • https://static.usrfiles.com/ugd/b8c837_e5d9d772ef3049d38fbfb0259d316877.pdf
    • https://static.usrfiles.com/ugd/b8c837_20e9b76d67f040d0ae4bcbbd3b4ace65.pdf
    • https://cdn.shopify.com/s/files/1/0431/0253/5840/files/47211290525.pdf
    • https://cdn.shopify.com/s/files/1/0430/9549/0721/files/81992024871.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f949fd4c32245dea35cfdcd393a6c3a.pdf
    • https://static.usrfiles.com/ugd/b8c837_93b387b90d8041d1806cdeb586303db4.pdf
    • https://static.usrfiles.com/ugd/b8c837_368acbcc35ed4116b2c9c9ddc8986b48.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000543d.bin
ec2c1e8c48ef8e58af0139f75711e4753ad800784b6a3ceb709169ae9acc02ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x543D 5256 bytes
font_01_sfnt_off000065e4.bin
bcd085dd3d01ff61b060d3a0e8213a1669ae51feea3ade1275279ce1b41fd8f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65E4 10720 bytes
font_02_sfnt_off00008992.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8992 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.