Malicious PDF — malware analysis report

Static analysis result for SHA-256 94fbed90db641f73…

MALICIOUS

PDF

41.4 KB Created: 2020-09-09 01:17:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e670a282460a459f58d531b55ea576a9 SHA-1: f892dae5de6998f65a438303d79644f17901bdd7 SHA-256: 94fbed90db641f7360f20075a64b808e2619e321f430b7adf178af1b9de1757f
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.link, which is disguised as a search result for 'android studio emulator not running app'. This suggests a social engineering tactic to trick users into clicking the link. The file also contains a large number of embedded links to static.usrfiles.com, indicating a link farm designed to improve SEO for malicious content. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=android+studio+emulator+not+running+app
    • https://static.usrfiles.com/ugd/6f53d7_53edacef814c4e67b68cd7a1d9697803.pdf
    • https://static.usrfiles.com/ugd/b148e5_b1996d0c53064d3197e988fc82409174.pdf
    • https://static.usrfiles.com/ugd/b0c717_810ca5998ab54be295d728bdc5133750.pdf
    • https://static.usrfiles.com/ugd/b8c837_92636154c2234b04bc6406555cb7d128.pdf
    • https://static.usrfiles.com/ugd/735424_c82ea1b495634ecd893d171e32f11460.pdf
    • https://static.usrfiles.com/ugd/2e79a6_59ee1544b55b4c2bb927e6937a4d44d0.pdf
    • https://static.usrfiles.com/ugd/1c8c6c_ebd03770aea14db7b1135ab01c60b23f.pdf
    • https://static.usrfiles.com/ugd/963627_c7029270023947b3aea66b313092a8fe.pdf
    • https://static.usrfiles.com/ugd/3d7af5_04d9455fc97b4d338da72cc5a9982619.pdf
    • https://static.usrfiles.com/ugd/5ad03d_af4a1826d32f4a748bc1aa0ab7b42334.pdf
    • https://static.usrfiles.com/ugd/c8d394_18c18dba4c3a48bfb157b7d7954da976.pdf
    • https://static.usrfiles.com/ugd/a58b01_85f6a1759f2e4075bc9108b7a13e9153.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063a7.bin
2ac60e7dd8bbf987292e625e2b8f8ba240fb3e816840b23fb70b379bca369f00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63A7 5268 bytes
font_01_sfnt_off00007579.bin
1f41d74f56fcd60fe332d45eae7cc5c644d9d7be3ac17ad8975b00333421a5fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7579 10344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.