Malicious PDF — malware analysis report

Static analysis result for SHA-256 94e95e6e3779e0e3…

MALICIOUS

PDF

33.2 KB Created: 2020-08-31 04:30:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6612b4792dea0fc02c4e23fd3f3bafa5 SHA-1: 416a94bcdc74efc23fcb3cad2cc1bc478e859fda SHA-256: 94e95e6e3779e0e35fad5b59b51e4db82fb9dcca654f7cbae769f88072752024
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is associated with a lure for 'chuck e cheese birthday invitations free'. This suggests a phishing or malware distribution attempt. The file also exhibits characteristics of a PDF link farm, embedding numerous external PDF links, many of which are hosted on 'static.usrfiles.com'. No scripts were extracted from this sample, but the embedded malicious URL is the primary indicator of compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=chuck+e+cheese+birthday+invitations+free
    • https://static.usrfiles.com/ugd/b8c837_693ee6fde0234f50981d66cb7a8eb40f.pdf
    • https://static.usrfiles.com/ugd/b8c837_4e7b835acf0f44239cc725af5a94123b.pdf
    • https://static.usrfiles.com/ugd/b8c837_6f951d23e3b24488b3288d3dd7a97ed9.pdf
    • https://cdn.shopify.com/s/files/1/0431/9156/6493/files/credit_risk_management_2020.pdf
    • https://cdn.shopify.com/s/files/1/0432/0509/9675/files/metufomokukajufolo.pdf
    • https://cdn.shopify.com/s/files/1/0435/4464/1695/files/bizarafovajusajefonoko.pdf
    • https://cdn.shopify.com/s/files/1/0460/0525/6353/files/75039906274.pdf
    • https://static.usrfiles.com/ugd/9e14ca_35e1a365596c4ea989ff69017dc1245b.pdf
    • https://static.usrfiles.com/ugd/8c2aca_3fbf72ff1ca845909732aa5c78c6d1d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_48aad82aea9f4dc9ae1c5ac7a2329b86.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_71dbfd7b718445909f8df3c0f66ce717.pdf
    • https://static.usrfiles.com/ugd/b8c837_b5e20af8452c416ebbd5ff8dbaa83864.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000458e.bin
abed6bc187f9660cf0e0638a65246b289c11afe37759a784bfb058daacd2e3a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x458E 5348 bytes
font_01_sfnt_off000057be.bin
0e64571ed0c07ae1795ce34d92c18f7df51079c9a4ade89e38f4e9e93497e90f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57BE 9468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.