Malicious PDF — malware analysis report

Static analysis result for SHA-256 94b3063b82f32869…

MALICIOUS

PDF

40.5 KB Created: 2020-09-17 21:39:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a99bf97bef146ff9b778aa78d2e495e SHA-1: 76b661f4706e0cca69adb63c15e20f829ba525b8 SHA-256: 94b3063b82f32869861a64a25e9f4626d73cfb1941c6706190adac66172d6be1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to known malicious redirectors or appear to be part of a link farm designed for SEO manipulation. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/wix?keyword=all+star+lyrics+mike', which is flagged as a malicious redirector. This suggests the primary goal is to redirect the user to malicious content or phishing sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=all+star+lyrics+mike
    • http://files.newhorizonstextilegroup.com/uploads/1/3/0/7/130775156/774700.pdf
    • http://files.therapymcb.com/uploads/1/3/1/8/131856574/xopakukuxoguri.pdf
    • http://wakexad.usjapanfam.com/uploads/1/3/1/1/131164132/sizazuzux.pdf
    • http://dujikowaf.getstitchedsewingstudio.com/uploads/1/3/0/7/130740597/9426177.pdf
    • http://files.totalvolumeagency.com/uploads/1/3/1/1/131163669/36417.pdf
    • https://a2857bb7-b73b-4f0a-aae
    • https://dec360d3-8dad-49c7-ba36-65119a0aa176.filesusr.com/ugd/07ef24_c4fe32dcf23248bbb5da0fefc740f69b.pdf?index=true
    • https://6fb0a5ab-96ac-4159-a611-fd98f2c7179c.filesusr.com/ugd/2ddd39_aeb49f519d4b4d9d9d1f8597910921bd.pdf?index=true
    • https://63d0d57d-2bcd-4f16-a6f7-776c53cea762.filesusr.com/ugd/769f78_9ac613616de94e33acac4794d109f2b8.pdf?index=true
    • https://a524ac31-0099-4bc8-8c47-0b008c50bc59.filesusr.com/ugd/2d1648_6ddac4e1d8154e7abced32d11dc6f1cb.pdf?index=true
    • https://07256dea-400b-4adb-a353-9d02fcd94a15.filesusr.com/ugd/5dc3ca_69b4d1cae07f4a8ea1db3ab0adea83f7.pdf?index=true
    • https://62c43e40-51b9-4584-a816-3003d3aa8693.filesusr.com/ugd/8c0e65_9fe4641ec9d5413d9cca4de592556b4d.pdf?index=true
    • https://45e685e1-4f6d-409e-9b25-40794ed28815.filesusr.com/ugd/efc97f_5d18022bb324407ab763fed6e9567504.pdf?index=true
    • https://f7929993-41b0-42b0-8815-d173f37be073.filesusr.com/ugd/5bb01c_1be27fe50d6b4c11be90583d6c27061b.pdf?index=true
    • https://5bab8e1a-dab8-4ab4-9a3e-464b2f520fd1.filesusr.com/ugd/6f53d7_198dc7b4dbf5434483597fe12546f4b0.pdf?index=true
    • https://443e8587-a1dc-4f02-9d55-978062bb99a4.filesusr.com/ugd/7f46b5_8ddf57e13f2745cd9f4a1dd97005df1a.pdf?index=true
    • https://37ae1153-c7ab-4fb2-8485-8d1c4394e5a6.filesusr.com/ugd/f34323_722622f8ad954f56910e4cb7e6c792c7.pdf?index=true
    • https://19128738-e556-4b73-83e3-df7a41871856.filesusr.com/ugd/a31856_1b137007fa654d3bb201e5f6748be04a.pdf?index=true
    • https://a2857bb7-b73b-4f0a-aaef-63570a104786.filesusr.com/ugd/7dfe85_7d664894f4cf405c805f4978abaad7e0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000602c.bin
13f96686a401bd7dfbb2d0b7f63168c5e04cb0fdb851c1b4646cc9f7cdca92e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x602C 5100 bytes
font_01_sfnt_off00007175.bin
ef13349828d494795b05bebf735bd7bba48e24107ff4f41c7305378e0265e48c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7175 10444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.