Malicious PDF — malware analysis report

Static analysis result for SHA-256 558b2821c2126f15…

MALICIOUS

PDF

47.2 KB Created: 2020-09-09 01:41:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 40f379523619ee025dc9c632b5ac09d8 SHA-1: e4b5674a4aa0ae9e31585d5c0bd18ff32e057d3c SHA-256: 558b2821c2126f15e2309017308f6628c2aa7325c16d1482bc89afc957e13ba3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many pointing to a link farm hosted on static.usrfiles.com, and one critical link to a known malicious redirector at ttraff.club. The document body, though heavily obfuscated, contains the same product keyword found in the malicious URL, suggesting a deceptive lure. The primary malicious IOC is the redirector URL, which likely serves as a gateway to further malicious activity.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=char+broil+performance+5+burner+low+flame
    • https://static.usrfiles.com/ugd/cc15ef_6367173de8034af5ba803cead6f50476.pdf
    • https://static.usrfiles.com/ugd/f59309_6aa4945650b94479a7194b48991a708c.pdf
    • https://static.usrfiles.com/ugd/40336e_e097826e802644c58ac125ee1fd30dda.pdf
    • https://static.usrfiles.com/ugd/16a96a_d3ae291c6ce54ebc971b343c45943355.pdf
    • https://static.usrfiles.com/ugd/e481ce_607556bf5a464646a67572343cb0be4d.pdf
    • https://static.usrfiles.com/ugd/b8c837_ba1e786e43e04857b650d89becbf6bf7.pdf
    • https://static.usrfiles.com/ugd/39a0fd_8a2b55d1a8e9464fb000d875e048b1fd.pdf
    • https://static.usrfiles.com/ugd/b8c837_c732d686cbc34e9193386bd6b405652c.pdf
    • https://static.usrfiles.com/ugd/7f929b_809c67a2cb30466aa266f66ead39d8e2.pdf
    • https://static.usrfiles.com/ugd/f0e51d_32a7be8ec4dc47a59f8d8ac70cd33388.pdf
    • https://static.usrfiles.com/ugd/d9d1f5_fed6d77494684250bebff62bb6044c8f.pdf
    • https://static.usrfiles.com/ugd/9757e7_f4344df53c1945b89eb72c521432a8ac.pdf
    • https://static.usrfiles.com/ugd/b8c837_62918db86f814b9ab2c56ab61585f3c0.pdf
    • https://static.usrfiles.com/ugd/e8dba5_a694def8806b4954a2d3db41bd47d96d.pdf
    • https://static.usrfiles.com/ugd/b50c55_d2092c43d1dd4d6b9c3a35b1bf814c7e.pdf
    • https://static.usrfiles.com/ugd/9c0842_b190924e3eff4543b04497a09fd641f4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007aac.bin
cce593ae1aaab6e03d6feae74728effb73f683f52e35b17e75c34a7b52e0a06b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AAC 5340 bytes
font_01_sfnt_off00008cbe.bin
bea6960583209cc432fceafe9d3a2168a4bfa5c91f190e70a46248bc49458390		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CBE 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.