Malicious PDF — malware analysis report

Static analysis result for SHA-256 49a01f0188bf9678…

MALICIOUS

PDF

73.7 KB Created: 2020-08-30 01:48:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88557e4b99e28f84d6fe381dd7585b28 SHA-1: 7ff1988d5e4077e7ccd18f6c61dd099f47b09b61 SHA-256: 49a01f0188bf967851bf5154ac2746602f87d1b24fa9d992a26c0eab81402bde
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is likely intended to lead the user to a malicious site. The document body, though heavily obfuscated, contains the same URL, suggesting it's the primary lure. The PDF also exhibits characteristics of a link farm, with numerous external links, many pointing to static.usrfiles.com, potentially to improve search engine ranking for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=authentic+love+spell+casters
    • https://static.usrfiles.com/ugd/b8c837_07d49d4fb06744a1883f067bfe3d891b.pdf
    • https://static.usrfiles.com/ugd/15cd4d_03c0f90243b44e8cb22c47e79448fd32.pdf
    • https://static.usrfiles.com/ugd/b8c837_9c0dfbb803454a58ae86d92512682165.pdf
    • https://static.usrfiles.com/ugd/8cbfce_1eec04dff14b4a88907bd73ce4d55032.pdf
    • https://static.usrfiles.com/ugd/7603ae_1b0552075c76448099c529eb4c2f4827.pdf
    • https://static.usrfiles.com/ugd/1cfe37_94cad4cf91b54f6f8f5d106dc909137d.pdf
    • https://static.usrfiles.com/ugd/e3ed1f_5edd1a98accc45618181664c91abe875.pdf
    • https://static.usrfiles.com/ugd/c1de29_b99e527b4845474187af2e373ab9e8f0.pdf
    • https://static.usrfiles.com/ugd/0c268c_efab6e9b8ff745298cd2a87bfcca635d.pdf
    • https://static.usrfiles.com/ugd/b8c837_27498844abce468995630715a08c56a5.pdf
    • https://cdn.shopify.com/s/files/1/0428/2767/7852/files/98585875539.pdf
    • https://cdn.shopify.com/s/files/1/0436/6044/3813/files/43946465336.pdf
    • https://cdn.shopify.com/s/files/1/0435/2134/3647/files/python_sort_dictionary_by_value.pdf
    • https://cdn.shopify.com/s/files/1/0439/6482/5758/files/arm_assembly_language_programming.pdf
    • https://cdn.shopify.com/s/files/1/0435/4277/3914/files/tojukexeripedewigibo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e49c.bin
05e5711be6c3ebc5491dabd57267c5db61c3483fbe71dbce8fbac272a95835f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE49C 5072 bytes
font_01_sfnt_off0000f5d1.bin
7aeb6e1b0029213d0975f3546cc6536b297abc4cc013e2ac8a227eb4f491c083		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5D1 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.