Malicious PDF — malware analysis report

Static analysis result for SHA-256 535d927b713fed93…

MALICIOUS

PDF

42.0 KB Created: 2020-09-06 00:27:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 781145232f73d26f8151753bca31620a SHA-1: d2851d2734239e4644a38d9bd6895d15facb5ad7 SHA-256: 535d927b713fed9368577d9831cf6b788af9106602da4dbe91a37076b35f606b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=bubble+guppies+colouring+sheets'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The file also exhibits characteristics of a PDF link farm, with numerous links to external PDFs, likely to manipulate search engine results or distribute further malicious content. The presence of a malicious redirector indicates an attempt to lead the user to a harmful site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bubble+guppies+colouring+sheets
    • https://static.usrfiles.com/ugd/d78803_9201511b2571404bb868726aa1912972.pdf
    • https://static.usrfiles.com/ugd/c6ac46_c586c06e760540ee9081833d783a4669.pdf
    • https://static.usrfiles.com/ugd/1d64af_4294c0a1bf7c4c3e96141394d612a83c.pdf
    • https://static.usrfiles.com/ugd/e1a791_f056937ecd8645f48e004924e0d7494d.pdf
    • https://static.usrfiles.com/ugd/ee4a13_7697bb211aa74c6e871e88620c8c9dc1.pdf
    • https://static.usrfiles.com/ugd/575fb0_c2ba9417ef2241a09c22d7746f7edf6f.pdf
    • https://static.usrfiles.com/ugd/6f58fb_3dbc9e493a944dca9fcae691aa5534fd.pdf
    • https://static.usrfiles.com/ugd/de3d83_15e30d9f1c574a278f612ec05312dbd0.pdf
    • https://static.usrfiles.com/ugd/b8c837_173c99e94a0640a4accc19156c7143b8.pdf
    • https://static.usrfiles.com/ugd/61f964_f36c6e0f67f546e88adc9f3e72f9a9ab.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000671a.bin
5ac45e5eea18031ff0a40f57244c688587e90c4dc50c39a5fa87e744f9fe25de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x671A 5176 bytes
font_01_sfnt_off000078b8.bin
01db71dbe6b0a18df9d9c99832a1ad51463945edd1372133a42e00536c458122		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78B8 10000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.