Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bb8d648fe1c4447…

MALICIOUS

PDF

45.7 KB Created: 2020-08-31 12:08:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5801323d99eafb9c087234f828c59cbb SHA-1: 28f661885afc17573e33a51f9670f1da6d50f5e3 SHA-256: 9bb8d648fe1c4447d711ef136c7909c1bf255d576c2870debda4f26d1ca0d580
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, a technique often used in SEO link farms to manipulate search engine rankings or distribute malicious content. One of these links, https://ttraff.com/wix?keyword=android+image+chooser+intent, is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The file's structure and the presence of numerous links indicate a probable attempt to redirect users to harmful websites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=android+image+chooser+intent
    • https://static.usrfiles.com/ugd/b8c837_c87ea941250c487e8e6f9527c2a4aff2.pdf
    • https://static.usrfiles.com/ugd/9c43ec_28420b980d9f4b2ca801676140a987c2.pdf
    • https://static.usrfiles.com/ugd/b8c837_c2922f2e2c864870b739e3a005f8cb08.pdf
    • https://static.usrfiles.com/ugd/2f8cea_b36bcbd8cd814c40b9d7bf50e827c5f1.pdf
    • https://static.usrfiles.com/ugd/bd5c68_599177ca50ee4973a36ddc633b3c68b1.pdf
    • https://static.usrfiles.com/ugd/f80014_dbb87853a616415faad85c06909911ba.pdf
    • https://static.usrfiles.com/ugd/b8c837_7254b13464f7453bb03adde8555a7a0a.pdf
    • https://static.usrfiles.com/ugd/96bf9d_863cee4a8da044ba9adc48445719d98f.pdf
    • https://static.usrfiles.com/ugd/dad90e_592d9e95676048fb8a71f6981067f425.pdf
    • https://static.usrfiles.com/ugd/ee9d3f_e95666a996614b1e99bc8984814bcaeb.pdf
    • https://static.usrfiles.com/ugd/b8c837_773c556108d94a6cbd9d1d7526968125.pdf
    • https://static.usrfiles.com/ugd/0049ca_be1d817e57f04f2280595c44919bfaf8.pdf
    • https://static.usrfiles.com/ugd/69695d_504251902a3b4a0fac8d3cb533549e2e.pdf
    • https://static.usrfiles.com/ugd/47b1e8_3d75590675d848aeaac54bed848cada5.pdf
    • https://static.usrfiles.com/ugd/f515ca_3799d295731f4fe799fab07ea440d0f3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c83.bin
d5b4133cc46f3d4c57127adfd919c07a7b4d64188a2fce92bbb216ea56aeb488		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C83 5312 bytes
font_01_sfnt_off00007e5d.bin
8c5fe53fa36ad433d1610497de9eb533dfc6c3159743912da79f4d2929d2f750		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E5D 13696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.