Malicious PDF — malware analysis report

Static analysis result for SHA-256 88d744f2c7208cfd…

MALICIOUS

PDF

39.7 KB Created: 2020-09-01 13:18:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63d1e17966b30b4772a276d24aa52ce4 SHA-1: 7e4028df1988b36abae6cfd99c7a5f16994b9d0b SHA-256: 88d744f2c7208cfdf7157a6023cfb1032ca615cb4f3ec7a6d5a5de5b02881c40
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=describing+pictures+worksheets'. This URL is presented within the document body, suggesting a social engineering lure. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to static.usrfiles.com. No scripts were extracted, but the primary malicious activity appears to be directing users to a potentially harmful external site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=describing+pictures+worksheets
    • https://static.usrfiles.com/ugd/455f95_d2cd66e4f80c4ebaa73c27f7656dbfe6.pdf
    • https://static.usrfiles.com/ugd/b8c837_7cd07d6a290341e78b8e927004c7b71b.pdf
    • https://static.usrfiles.com/ugd/dd4472_858f6c3839414c5982e3d7744f9562a2.pdf
    • https://static.usrfiles.com/ugd/345929_4473d187cabf4494be47b40067caf124.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_7d70592a15aa48ffbfafa7950841fa82.pdf
    • https://cdn.shopify.com/s/files/1/0437/6428/5598/files/33670814557.pdf
    • https://cdn.shopify.com/s/files/1/0436/7079/8489/files/73849638059.pdf
    • https://static.usrfiles.com/ugd/ea78e0_5476b7892d6e4f13a963e8db17e260fb.pdf
    • https://static.usrfiles.com/ugd/3bca44_aad544beb59a496fa814c2141ea8b774.pdf
    • https://static.usrfiles.com/ugd/a64c8c_0bae4737b8ea4476a7a88559ca5fcacb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b76.bin
3d99f3b3a6ec4612a4bb3f5421567bb9b9a2a459746ec4abea2920a6ea2e3689		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B76 5248 bytes
font_01_sfnt_off00006d69.bin
828c37ef29bebbb927bf9ec291dacd22d6ccb3b256f531f8dc1e2263c7f4788c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D69 11084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.