Malicious PDF — malware analysis report

Static analysis result for SHA-256 968696755bda05b6…

MALICIOUS

PDF

42.9 KB Created: 2020-08-31 20:43:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4a95eeded7ebc94eefc19927a84615be SHA-1: 5bc524e0b1d64e746dec53d64c7760b94c50d59f SHA-256: 968696755bda05b686f9994aa106cce332452e33df454a5e850bcd55f93dabf2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a mass of external links, with one prominent link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL "https://ttraff.cc/wix?keyword=black+and+blue+facebook+apk", suggesting a lure for a malicious download or phishing attempt. The presence of numerous links to static.usrfiles.com, while individually benign, contributes to the overall link farm heuristic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=black+and+blue+facebook+apk
    • https://static.usrfiles.com/ugd/e2f7e1_38887dd5892e4a5a991253e8c497482d.pdf
    • https://static.usrfiles.com/ugd/b8c837_6b6aa1f6836a47dfb7b7df5241736d61.pdf
    • https://static.usrfiles.com/ugd/b8c837_c8b5fbe519dd4d489f77557477427c74.pdf
    • https://static.usrfiles.com/ugd/b8c837_c080850913a1470aabe575ec17ed4d95.pdf
    • https://static.usrfiles.com/ugd/a107db_a329510d6104461cac0e1a9ba075b1bd.pdf
    • https://static.usrfiles.com/ugd/b8c837_eb41f20180e6413098396a9da2b9956c.pdf
    • https://static.usrfiles.com/ugd/5e81b9_9ad80d53e0524eed8b5f8fce1d791166.pdf
    • https://static.usrfiles.com/ugd/6116da_3a0d4185e0a4489f9fcd675e38a56ba6.pdf
    • https://static.usrfiles.com/ugd/ae15ca_6b67c005a5c74248b9d5632e49ef319f.pdf
    • https://static.usrfiles.com/ugd/54fa57_872def1214754a518e31f9946f80e03e.pdf
    • https://static.usrfiles.com/ugd/b8c837_024c52b47c7746208769a887c0192cc8.pdf
    • https://cdn.shopify.com/s/files/1/0435/1823/0688/files/10342785983.pdf
    • https://cdn.shopify.com/s/files/1/0427/9461/4940/files/88611844670.pdf
    • https://cdn.shopify.com/s/files/1/0431/4375/7992/files/negavavuvala.pdf
    • https://cdn.shopify.com/s/files/1/0434/3136/2725/files/57870175161.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d54.bin
2e67b626d81d29ba3ab556c0a6fe7a395b561ebdf1c23d355102e122cf3f1835		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D54 4880 bytes
font_01_sfnt_off00006df7.bin
309ff2177b1e732e4554655874aa3dace26a83365fa967e72ffac16b25903f13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DF7 10172 bytes
font_02_sfnt_off000090cb.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90CB 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.