Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a78cf39cb5fe12c…

MALICIOUS

PDF

39.6 KB Created: 2020-09-03 00:01:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e55b14e5648003a075bb1f56e62bbdb SHA-1: 598878c22b9ab3a69baacb0c812dc67ca743aab3 SHA-256: 9a78cf39cb5fe12c0954fdd0e0e2d908f2c92dc5bea4a6d698e82f4a1c9a66d7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=classified+balance+sheet+purpose'. The document body, though heavily obfuscated, also contains this URL and numerous other links to PDFs hosted on 'static.usrfiles.com', suggesting a link farm or redirection strategy. The primary intent appears to be luring the user to the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=classified+balance+sheet+purpose
    • https://static.usrfiles.com/ugd/8b49c6_d1bf0d26e6fb4c50bebb86d35ff66a26.pdf
    • https://static.usrfiles.com/ugd/3bca44_140af7e0bf01437bb2b33470447b2a84.pdf
    • https://static.usrfiles.com/ugd/c3f59f_40f516fc68344fb68816ebb8d9f8a80d.pdf
    • https://static.usrfiles.com/ugd/9dda13_c55bf6d9aaf24995a0737eb12dfcf426.pdf
    • https://static.usrfiles.com/ugd/bf0735_17f9656d4c3546148b9f077a9f3b101e.pdf
    • https://static.usrfiles.com/ugd/b8c837_a50c5eb6719045658286e5b0bcf964b7.pdf
    • https://static.usrfiles.com/ugd/2ac701_b03778db49ee4800b453c188a1efc29d.pdf
    • https://static.usrfiles.com/ugd/271e65_3b8dc5f7599b425cba363b783423bcc0.pdf
    • https://static.usrfiles.com/ugd/a382ee_76c7215ea067429a818055dc52a99042.pdf
    • https://static.usrfiles.com/ugd/5af86b_25235b05506341869cc2a600cbd67f7b.pdf
    • https://cdn.shopify.com/s/files/1/0435/8724/0093/files/76518660553.pdf
    • https://cdn.shopify.com/s/files/1/0433/9420/3815/files/fedofirewexexaxosolijilu.pdf
    • https://cdn.shopify.com/s/files/1/0431/0997/4169/files/xepebilonuzuzuxolasa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e66.bin
f0ac94d34ec626864f7f6596a3d6ded2529bb3a591064756ed91c0dc21395559		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E66 5288 bytes
font_01_sfnt_off00007050.bin
8a0c172140a3d869405b7d230c784a60e909865d4390facbc623ee157614db29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7050 9760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.