Malicious PDF — malware analysis report

Static analysis result for SHA-256 828658a3a3d20cfe…

MALICIOUS

PDF

41.0 KB Created: 2020-09-01 07:18:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52af88403b8a489d25f5da92467e6db7 SHA-1: c4b008f11718be0cb4c2afc92297797fe75205d7 SHA-256: 828658a3a3d20cfe8fa755020862a81e2b87bb5927883dfd25b1962874d08698
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.cc, which is disguised as a calligraphy tutorial. The document also exhibits characteristics of a link farm, embedding numerous external links, many of which point to static.usrfiles.com. The presence of a visual download button lure further supports the malicious intent. The primary attack vector appears to be social engineering through a deceptive link.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=learn+calligraphy+alphabet+pdf
    • https://static.usrfiles.com/ugd/b8c837_d143e347cb6f40d6897c1cffc41a7f4a.pdf
    • https://static.usrfiles.com/ugd/253000_118316419b124e94899d8bc45b5c9079.pdf
    • https://static.usrfiles.com/ugd/ff2e72_59e6633087a2491a828fd296e0af003e.pdf
    • https://static.usrfiles.com/ugd/be19e1_a1f1e282ac154f4984232b2ba0066eda.pdf
    • https://static.usrfiles.com/ugd/c068f8_253cc2e5b5c04541b990f527c17c8663.pdf
    • https://static.usrfiles.com/ugd/c3f59f_127e37fcd80f4e17928633f82703adf8.pdf
    • https://static.usrfiles.com/ugd/d162e3_590d5f2549e4460985b495ff2d078e98.pdf
    • https://cdn.shopify.com/s/files/1/0431/5657/0274/files/rezut.pdf
    • https://cdn.shopify.com/s/files/1/0431/7786/9476/files/chemistry_chapter_4_test_answers_multiple_choice.pdf
    • https://cdn.shopify.com/s/files/1/0441/3066/4600/files/dujepowufutezawokivop.pdf
    • https://cdn.shopify.com/s/files/1/0434/2949/4933/files/18215728327.pdf
    • https://cdn.shopify.com/s/files/1/0433/0101/1611/files/yasser_seirawan_winning_chess_openings.pdf
    • https://static.usrfiles.com/ugd/b8c837_d67b4c963fb44659a47360a24d2ee498.pdf
    • https://static.usrfiles.com/ugd/a382ee_b2f7a362785841689aed43d43e5324b8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006287.bin
f606719f463dc113d5fa3dd19acac67c2036af922d178335554b256b6aacb9c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6287 5420 bytes
font_01_sfnt_off000074f9.bin
ba364eb97b19889cd67f1d6bec3a2bc2b82f3c6a2e1790a360f947c163ddd10a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74F9 9996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.