Malicious PDF — malware analysis report

Static analysis result for SHA-256 577d007e6e5734bf…

MALICIOUS

PDF

43.2 KB Created: 2020-08-31 22:09:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f384270419bebce221241f4db14f57e SHA-1: d92d1bd346421c3063f29f909428dfddd62b302f SHA-256: 577d007e6e5734bf7e8348bd37d21829e4a5b58898010d5509be2ebf8a99f3b6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-Override

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of the primary links, however, directs to a known malicious redirector at ttraff.cc. The document body text, though partially corrupted, includes the phrase 'Answer after thank you' and the malicious URL, suggesting a social engineering lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=answer+after+thank+you
    • https://static.usrfiles.com/ugd/6290de_caa6c551c9174593a387114d8647e8b4.pdf
    • https://static.usrfiles.com/ugd/0d089b_ea72037496544936a00a0d94593df890.pdf
    • https://static.usrfiles.com/ugd/0cd019_fd6a04ea94284b49a41109b86087b092.pdf
    • https://static.usrfiles.com/ugd/97493d_e7cffffcf88f4bc7bcfff7ec14a90926.pdf
    • https://static.usrfiles.com/ugd/362633_1abc5ec43e234a7ea10e0a3dfeccbc77.pdf
    • https://static.usrfiles.com/ugd/3e87bf_9baa43c5e0a64d7f86ef98021abe857a.pdf
    • https://static.usrfiles.com/ugd/b8c837_79e5621b3b93465c933d78aa27bd31cc.pdf
    • https://static.usrfiles.com/ugd/fac845_f6f20fec92bc438182e7b5187c55c382.pdf
    • https://static.usrfiles.com/ugd/b8c837_75d5d82399a74aec98401ac42c2378e0.pdf
    • https://static.usrfiles.com/ugd/de65f7_b4d33de397ff48668678e5dae26dd716.pdf
    • https://static.usrfiles.com/ugd/b8c837_abcf35407fab42aab17ac4e20d9a7c69.pdf
    • https://static.usrfiles.com/ugd/a01749_c5963e2bbaf548c297c82ff64903c46d.pdf
    • https://static.usrfiles.com/ugd/b8c837_46097ce2206045ce97267481e2a31680.pdf
    • https://static.usrfiles.com/ugd/ab922d_a9bc46665303454cbcd1eaf9153aba4d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c9c.bin
865fab8cbf39c7f0103913d1ed8a38b37596c5fe45a714ff34d5b9b99e779301		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C9C 5072 bytes
font_01_sfnt_off00007df1.bin
af3addce9cd7034843b809ddb71405cc4facd8f16d7954312c08248858d2bcbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DF1 10008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.