Malicious PDF — malware analysis report

Static analysis result for SHA-256 9720c3a7bac84cc8…

MALICIOUS

PDF

48.9 KB Created: 2020-08-30 03:08:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c9f3706c58cc3fdfc4aa913defdfa44 SHA-1: 59cf4aca4ebfed19da1f8b9ae26ca0d6e1f67098 SHA-256: 9720c3a7bac84cc81089698546affbfa016136a55ca71ad464a8394af4ac7dda
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=total+war+three+kingdoms'. This indicates an attempt to direct the user to a potentially harmful site, likely for phishing or malware distribution. The document body also contains this URL, reinforcing the lure. The presence of a PDF link farm heuristic suggests a broader campaign to distribute such malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=total+war+three+kingdoms
    • https://static.usrfiles.com/ugd/b8c837_cc7f93e8b811467cb0ed3ad494484435.pdf
    • https://static.usrfiles.com/ugd/6a22cb_46a98cb0d02149dc8df6ba4a5d642411.pdf
    • https://static.usrfiles.com/ugd/ab922d_22ce815428394264b40675e91249078d.pdf
    • https://cdn.shopify.com/s/files/1/0430/0560/8099/files/acadia_parish_jades.pdf
    • https://static.usrfiles.com/ugd/c20ea7_6b15a577df974a9ba33471f3d8790e77.pdf
    • https://static.usrfiles.com/ugd/c068f8_4d132ec257eb42dca57b7d09f64288e6.pdf
    • https://static.usrfiles.com/ugd/3bca44_a9d0a52cf7de437c8545b49aa58b777c.pdf
    • https://cdn.shopify.com/s/files/1/0429/3804/0487/files/27791892655.pdf
    • https://cdn.shopify.com/s/files/1/0433/7028/3166/files/xogebonupasexavotutekuzus.pdf
    • https://cdn.shopify.com/s/files/1/0430/6986/6141/files/livimuwedodekusesoxej.pdf
    • https://cdn.shopify.com/s/files/1/0429/1470/9663/files/87033036779.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006abb.bin
74e7193de7867bcf2007c05620bbeeeaa8ecf6acdcc7d8798c747d190114e669		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ABB 5132 bytes
font_01_sfnt_off00007c0d.bin
6c96397823b4e026d89bcf4e64e4a19a11b7ba235546d66a9042781496d09ed8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C0D 14312 bytes
font_02_sfnt_off0000a906.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA906 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.