Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f89d672b63377ca…

MALICIOUS

PDF

41.4 KB Created: 2020-09-02 19:18:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 678496e85b2954ff3424a89b761bf785 SHA-1: 79f3714d88b1ee762e15886ee9b8d3c174e242a6 SHA-256: 8f89d672b63377ca04e3eb13d7b73ec252785ae320fe21f31098f236bbc52304
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.me, which is disguised as a football pitch template. This suggests a phishing or social engineering attack aimed at redirecting the user to malicious content. The document body, though heavily obfuscated, contains the same lure and URLs. The presence of multiple links to static.usrfiles.com, while some are marked benign, indicates a link farm strategy, likely to improve SEO for the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=half+football+pitch+template
    • https://static.usrfiles.com/ugd/136d07_e15fda07978f4aedbd714c45a9856b37.pdf
    • https://static.usrfiles.com/ugd/7c1f05_65ca921633d34c809c5e52816bb753f0.pdf
    • https://static.usrfiles.com/ugd/b8c837_9df7d9d097d94ef2922664db88ed94b8.pdf
    • https://static.usrfiles.com/ugd/39cb9d_0002f0b3128b41638af5bfbb7fb8d668.pdf
    • https://static.usrfiles.com/ugd/76156b_f579fad62373432293181ad5066052dd.pdf
    • https://static.usrfiles.com/ugd/dd4472_ecf299100eb24bcd8d5aff2f177f83fa.pdf
    • https://static.usrfiles.com/ugd/b28561_540061735daf4a94ac9002a9da8981e4.pdf
    • https://static.usrfiles.com/ugd/a07927_2263245f5afb459d8773dc6165d6a923.pdf
    • https://static.usrfiles.com/ugd/dfb5f8_91c9f70fe54a4d059b6af5f085787af1.pdf
    • https://static.usrfiles.com/ugd/724fb5_64227acf5cf74482aa020630493213ff.pdf
    • https://cdn.shopify.com/s/files/1/0431/4162/8072/files/foxavoj.pdf
    • https://cdn.shopify.com/s/files/1/0427/6633/6167/files/apprendre_le_franais_a1.pdf
    • https://cdn.shopify.com/s/files/1/0428/4953/4111/files/kizitejefulurejomug.pdf
    • https://cdn.shopify.com/s/files/1/0463/6537/6673/files/99886479679.pdf
    • https://cdn.shopify.com/s/files/1/0428/3678/7356/files/lakefuwez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063c5.bin
cbb63f0a7718c73a1af15e384f91b0e7bbce4862ac43ba94b30937a9001e8001		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63C5 5084 bytes
font_01_sfnt_off000074ed.bin
9492c49a5c29c9b9df927d74ef5a797149e5d6bf5c4d45b7e59ab5b6a144fb70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74ED 11056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.