Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e0fc8b89514c38e…

MALICIOUS

PDF

48.6 KB Created: 2020-09-01 11:48:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89a8367da5529b404ad5e13975132304 SHA-1: 77fa1b9cde8a1b869b3d1ac91a95eab2a0933aa8 SHA-256: 8e0fc8b89514c38eb53fcd15b5a16977ed5716da8734cde3f8e097d0ea8822d1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=burger+king+uk+menu+pdf'. This URL is presented in the document body, disguised as a menu PDF, to entice users to click. The document also contains a large number of embedded links, many pointing to static.usrfiles.com, indicating a link farm strategy. No scripts were extracted, and the document body itself is heavily obfuscated, but the primary malicious intent is clear from the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=burger+king+uk+menu+pdf
    • https://static.usrfiles.com/ugd/225520_943a8774074a4f44a6c13b8e089e6a71.pdf
    • https://static.usrfiles.com/ugd/b8c837_7b0858a8111249ca9bf11a06f1dafa58.pdf
    • https://static.usrfiles.com/ugd/191a6d_d965f1f9134b49ddb6ef3d95f5f0a016.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/9680354999.pdf
    • https://cdn.shopify.com/s/files/1/0457/0261/1100/files/ms_onenote_meeting_minutes_template.pdf
    • https://cdn.shopify.com/s/files/1/0434/8903/4402/files/48993644820.pdf
    • https://cdn.shopify.com/s/files/1/0437/9954/3970/files/pufuri.pdf
    • https://cdn.shopify.com/s/files/1/0437/6385/9617/files/vargeet_jai_ii.pdf
    • https://static.usrfiles.com/ugd/735424_5f1ac5dca6cc41d7a91d6fb29a11649e.pdf
    • https://static.usrfiles.com/ugd/96768c_14b6103b77ab453bb42692477bf8fea5.pdf
    • https://static.usrfiles.com/ugd/6cf0f5_72406d2923ad445b87029daa3b1672ba.pdf
    • https://static.usrfiles.com/ugd/1fa6dd_ac72246979904a09bc48581a6e2f7626.pdf
    • https://static.usrfiles.com/ugd/d43733_5e3d6a39d86b4755aefb27280b011e1e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064e8.bin
be8e5b0fdc67342d509aac4a3fbf6a739f15360a5fa50a074ac15ed02dab287f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64E8 4748 bytes
font_01_sfnt_off000074ea.bin
15c72ab808018d86fe84b5c4c6010ed8d7b5e834dbd77dc33c17260eca4f6ecd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74EA 15776 bytes
font_02_sfnt_off0000a5d2.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5D2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.