Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a154a5c19a9829f…

MALICIOUS

PDF

37.1 KB Created: 2020-09-04 19:38:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ba4c4622a663105b63544802a801f28 SHA-1: 97d0063c0fe689518f47af643393f3415752a492 SHA-256: 5a154a5c19a9829f54ebc978b3b5549f2b147dc85bcf95946034d96c7f374fb0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.club/wix?keyword=vehicle+bill+of+sale+pdf+uk'. The document body, though heavily obfuscated, contains references to 'vehicle bill of sale pdf uk', suggesting a lure to entice users to click the malicious link. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to static.usrfiles.com.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=vehicle+bill+of+sale+pdf+uk
    • https://static.usrfiles.com/ugd/f4de5e_1f767ab934d24359b167102134555954.pdf
    • https://static.usrfiles.com/ugd/c63bf9_7f41c5dab72c4e998b7c35fa3ea569e2.pdf
    • https://static.usrfiles.com/ugd/4a6c57_096b9b511b7946e7a1a0e9642d518de4.pdf
    • https://static.usrfiles.com/ugd/035627_8e98f06b6f4145a4b46515374d200edd.pdf
    • https://static.usrfiles.com/ugd/b8c837_e83e3481299b4288ad3cabdcf6e33d37.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/25322908130.pdf
    • https://cdn.shopify.com/s/files/1/0428/2168/1315/files/photoshop_resize_image.pdf
    • https://cdn.shopify.com/s/files/1/0432/3642/5883/files/favafar.pdf
    • https://cdn.shopify.com/s/files/1/0461/9983/2729/files/rivux.pdf
    • https://static.usrfiles.com/ugd/c1de29_f07f17e40f444a51a1529ba746215ace.pdf
    • https://static.usrfiles.com/ugd/7e6083_b9a67829d41749deab3b2a690536d2af.pdf
    • https://static.usrfiles.com/ugd/83d902_688fe06494354d04a403a41df088fefa.pdf
    • https://static.usrfiles.com/ugd/8b2c09_193f551848044d099032e63d280a98df.pdf
    • https://static.usrfiles.com/ugd/b8c837_87d00bb687ca4e67b4ae52a38c2d35ef.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052bf.bin
86f0c3041861c2d2fc4dccf6f9936cb84002c30e6e97c19b0a64d2b8f5820e90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52BF 5316 bytes
font_01_sfnt_off000064d7.bin
4a8561e41e6b3fe84ba2d8ecdcc84ad4464016fbd00f62ea0ca35fc5d890b8d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64D7 10276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.