Malicious PDF — malware analysis report

Static analysis result for SHA-256 936c830d2e7d6e88…

MALICIOUS

PDF

46.4 KB Created: 2020-08-29 20:22:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 50a38044c16abc5e9351078c8a96a028 SHA-1: 9aef5368400e642f5c879ee53f6a619bfd045370 SHA-256: 936c830d2e7d6e88760afd1ec5b48a841f7f7ff308b86eed0de29a11cfc5d61d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, which is the primary indicator of malicious intent. The document body, though partially corrupted, suggests a lure related to 'strategy of new products'. The embedded link directs to 'ttraff.cc', a known malicious redirector, and the PDF also contains a large number of external links, many pointing to 'static.usrfiles.com', indicating a link farm. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=estrategia+de+nuevos+productos
    • https://static.usrfiles.com/ugd/b8c837_e193b490a195484cbd5dcd59b475fd65.pdf
    • https://static.usrfiles.com/ugd/93c935_b45d12a7423f4f7e9dfd704d2da8d765.pdf
    • https://static.usrfiles.com/ugd/b8c837_2d00899aa4bc435184cb9e8a4b1628af.pdf
    • https://static.usrfiles.com/ugd/b8c837_e848af0a4e774fa497e7347473c442d4.pdf
    • https://static.usrfiles.com/ugd/b8c837_1796ddaa77c143c68fd607b0def975dc.pdf
    • https://static.usrfiles.com/ugd/cb2bed_77348e5292fb46bda59e3666fc5bc052.pdf
    • https://static.usrfiles.com/ugd/b8c837_92a9a8818da742069e763b7a136ede4c.pdf
    • https://static.usrfiles.com/ugd/c3548c_185b69033e654f9b82c1e37895a9801d.pdf
    • https://static.usrfiles.com/ugd/b8c837_ce9be25263ae42d2b74b1bbd6293a363.pdf
    • https://static.usrfiles.com/ugd/934fc3_d79b34e1a5184879b31b7384458466dd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075bf.bin
75ee5562da493dc7fab1f0963bcae13d67868c8de22fab72c5acf04d14565458		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75BF 5228 bytes
font_01_sfnt_off00008798.bin
42275398d2bd0e5b0e2b92124ffd0f347ce9bd48dc202c3d981192738f199362		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8798 11556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.