Malicious PDF — malware analysis report

Static analysis result for SHA-256 945468d4d03f179e…

MALICIOUS

PDF

58.1 KB Created: 2020-08-31 13:16:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 592d5399fbad5b6402e28876971063d4 SHA-1: acb2540ac143be2656465e781d8cb9a8419de860 SHA-256: 945468d4d03f179e986ff0aaef0403c23f6fbb088e1eac706566c86129d4b518
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it features a large number of embedded links to 'static.usrfiles.com', suggesting a link farm or SEO poisoning tactic. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/wix?keyword=hd+audio+solo+ultra', reinforcing the malicious redirector finding. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=hd+audio+solo+ultra
    • https://static.usrfiles.com/ugd/1c90dc_a65898808b9d478ab1ea4aa8a86ce55e.pdf
    • https://static.usrfiles.com/ugd/f09a9d_bc5a1e2e6dcc4c4da9bac24360beba0f.pdf
    • https://static.usrfiles.com/ugd/6240f8_97ff73cf9d914bd7a30d459fbc0dd043.pdf
    • https://static.usrfiles.com/ugd/b6bf5b_4f8fa2c59bf340f08e49dc14d3af1997.pdf
    • https://static.usrfiles.com/ugd/b8c837_74d288e799504b99958d9226f29c1549.pdf
    • https://static.usrfiles.com/ugd/b8c837_9df7d9d097d94ef2922664db88ed94b8.pdf
    • https://static.usrfiles.com/ugd/cafc24_7fe2900e44754a918ee7740efc7514ee.pdf
    • https://static.usrfiles.com/ugd/0c41e7_08edabe372bb4c04964e2ee09c46b1f8.pdf
    • https://static.usrfiles.com/ugd/affb4a_91ddbc3aa2884192845ece7b52b9db6e.pdf
    • https://static.usrfiles.com/ugd/7598fa_c42803ecc031437e814de5de414b70e9.pdf
    • https://static.usrfiles.com/ugd/63d3ad_7721ea80fa1f46aa83e2b61a4c04a0fd.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a673.bin
e51b666cd3615e4ee8517e44a94e79542014ecf772bdee7bad3c12955b59054a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA673 4780 bytes
font_01_sfnt_off0000b6b8.bin
17211d6041f9bfcef297934c5e2a8f5b801c66f45b453953c9d16eea2a7d69d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB6B8 10864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.