Malicious PDF — malware analysis report

Static analysis result for SHA-256 98ff6dce2efee54d…

MALICIOUS

PDF

140.2 KB Created: 2020-09-06 09:58:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88409474679f878c87467e5c6ebca728 SHA-1: 660e3befefeb59a2f53e8ffb142e41d2471b12fa SHA-256: 98ff6dce2efee54d2f28f3ae04080c5be0dc1ecfb5cf2a30696cb3e6e777d11f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=spider+man+homecoming+script'. This URL is presented within the document body, suggesting a lure to trick users into clicking it. The PDF also exhibits characteristics of a link farm, with numerous external links, many of which point to 'static.usrfiles.com'. The primary malicious URL is the most critical IOC.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=spider+man+homecoming+script
    • https://static.usrfiles.com/ugd/baef12_f07113f74b64483fab56cd7be303a602.pdf
    • https://static.usrfiles.com/ugd/c33cdb_745290c44cee446cb5a2008cba60a250.pdf
    • https://static.usrfiles.com/ugd/b8c837_a039bfe25fa143a4946ead262f6e1065.pdf
    • https://static.usrfiles.com/ugd/67f5f7_e882204c309c48ceb78dc91d2a189b4c.pdf
    • https://static.usrfiles.com/ugd/b8c837_9c5a826628a64471b41223e00df66196.pdf
    • https://static.usrfiles.com/ugd/d1d005_901defc5b4b3418ab83c68cd5a5b86db.pdf
    • https://static.usrfiles.com/ugd/136d07_829aa7ed8b854f56adb01e696ad58b4b.pdf
    • https://static.usrfiles.com/ugd/b8c837_03c0f31937d141bfbe664aea726c2791.pdf
    • https://static.usrfiles.com/ugd/cdfdba_128c3e17cd0545a484149010b289c135.pdf
    • https://cdn.shopify.com/s/files/1/0433/3119/0952/files/4996522512.pdf
    • https://cdn.shopify.com/s/files/1/0432/5936/3496/files/tovuxelokedo.pdf
    • https://cdn.shopify.com/s/files/1/0436/9684/9051/files/lizenazivagovanufumegat.pdf
    • https://cdn.shopify.com/s/files/1/0437/6877/4814/files/45900520575.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/23063093424.pdf
    • https://cdn.shopify.com/s/files/1/0427/8734/0454/files/relefebisojaramavekaguf.pdf
    • https://cdn.shopify.com/s/files/1/0432/0670/5311/files/printwriter_vs_bufferedwriter_performance.pdf
    • https://cdn.shopify.com/s/files/1/0430/4732/1751/files/xilatulotaxigad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001dcd9.bin
a4a174e99072f16e817d63340c5d7c189014825e16cf858f817b5e97a0a272e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DCD9 5556 bytes
font_01_sfnt_off0001ef8e.bin
a8ad2fdceaca64dc7b4c65f68129c9c42e8d7037fc7f30e3ff9f370ce1807d96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EF8E 16484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.