Malicious PDF — malware analysis report

Static analysis result for SHA-256 478f309b3aa5da96…

MALICIOUS

PDF

40.4 KB Created: 2020-09-02 00:38:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 631b0a3a384dee3d51c4e59c8a94809d SHA-1: b3d6abc035d398cd97c63813ad32ecf1066d56ec SHA-256: 478f309b3aa5da96fdc96f50a880534653dab19c5145e6284b61e2877df26856
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.link/wix?keyword=biology+notes+form+4+advance+africa'. Additionally, another critical heuristic identified a PDF link farm, with numerous links pointing to static.usrfiles.com. The document body, though heavily obfuscated, contains the same malicious URL, suggesting a lure to external malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=biology+notes+form+4+advance+africa
    • https://static.usrfiles.com/ugd/98857b_8230b732b1bf40a69dc328c159906539.pdf
    • https://static.usrfiles.com/ugd/63d3ad_35bc6c7d3c48476eac13013fbd69c2aa.pdf
    • https://static.usrfiles.com/ugd/b8c837_275cda56b0994275b542f2aee5bec5c1.pdf
    • https://static.usrfiles.com/ugd/9c0842_bc27de6f032c4059aa68253a3135c5de.pdf
    • https://static.usrfiles.com/ugd/97368a_71f68379a97d4fd6aaa4153cc8436532.pdf
    • https://static.usrfiles.com/ugd/9cb927_55303ad083c04e1baa4c67db24f80579.pdf
    • https://static.usrfiles.com/ugd/87d215_aaf0640c24e040e4a79b41f7ae225401.pdf
    • https://static.usrfiles.com/ugd/23924c_4b7be17b39c849ac86e2a6e171224b43.pdf
    • https://static.usrfiles.com/ugd/9ea91e_0d957ce7beaf4ef9859fccdd41d65a84.pdf
    • https://static.usrfiles.com/ugd/b8c837_a5a42b1e2bd64bd5809fbedd7ab6d539.pdf
    • https://cdn.shopify.com/s/files/1/0429/7054/6335/files/meez_coin_hack_no_surveys.pdf
    • https://cdn.shopify.com/s/files/1/0437/5547/1002/files/zabujinetanamejilur.pdf
    • https://cdn.shopify.com/s/files/1/0436/9501/4056/files/wadakugexudole.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e65.bin
a5030b66e28535376f4aa382a98d1b920e20a8c5962adace241fcb76a0e447ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E65 5640 bytes
font_01_sfnt_off0000719d.bin
5d3a2ebe9ce801d5fd70bf042a13131c07f0c8f6b9e05e3cff4704d6702f0a82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x719D 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.