Malicious PDF — malware analysis report

Static analysis result for SHA-256 5948b8b08f0272f5…

MALICIOUS

PDF

37.6 KB Created: 2020-08-29 03:10:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 644fc3f4312231077c121feebd389f52 SHA-1: 917be146a2e556172c05f55d1dee683324642fde SHA-256: 5948b8b08f0272f57889d94223efb837c4765d10471ef416dceb064df05d3e54
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=bangalore+days+with+english+subtitle'. This indicates an attempt to lure users to a malicious site. The document also contains a large number of embedded links, many of which point to 'static.usrfiles.com', suggesting a link farm or SEO poisoning tactic. No scripts were extracted from this sample, but the presence of the malicious redirector is sufficient evidence of malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=bangalore+days+with+english+subtitle
    • https://static.usrfiles.com/ugd/b8c837_ad908162b8fe44ed80bf2d3668d8be69.pdf
    • https://static.usrfiles.com/ugd/b8c837_efff9e2596804dcc8eaa913fca07941e.pdf
    • https://static.usrfiles.com/ugd/b8c837_70d56713e71d4e3aae5aa0a3bb22e27b.pdf
    • https://cdn.shopify.com/s/files/1/0434/1035/8439/files/92413669135.pdf
    • https://cdn.shopify.com/s/files/1/0428/5677/5839/files/vatulil.pdf
    • https://static.usrfiles.com/ugd/b8c837_d4596a7deb9a4e2b80d4de45785102e6.pdf
    • https://static.usrfiles.com/ugd/b8c837_bedd8e080bf247bbb2d10ff3f6795f97.pdf
    • https://static.usrfiles.com/ugd/b8c837_27b7198306ba4d5b884ecc6602194a77.pdf
    • https://static.usrfiles.com/ugd/b8c837_c780c24a1d984b8a952094585d75b96a.pdf
    • https://static.usrfiles.com/ugd/b8c837_ccafb132baab45bf90fd7492dacbc5e7.pdf
    • https://cdn.shopify.com/s/files/1/0433/8457/0019/files/archilovers_app_android.pdf
    • https://cdn.shopify.com/s/files/1/0438/4574/6848/files/sexowir.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004610.bin
2d6f877f2cd14e17c397f3d1ca50dc3d79021055effa7c724dc05b025d9fd8d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4610 5352 bytes
font_01_sfnt_off00005848.bin
28caab0c1c118169421208e1e5e12f0cd9d3c1ddd88aa72c25d9759c561f2be3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5848 10380 bytes
font_02_sfnt_off00007b8d.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B8D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.