Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bfcbe097f3aa532…

MALICIOUS

PDF

44.7 KB Created: 2020-08-30 03:56:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 86cc709c5df305ccc03ff0237d5658a3 SHA-1: cd2859d03a54b38efaf6007acc2013ca2f1193b2 SHA-256: 9bfcbe097f3aa5327f83aeb190735c70839d8e61ad40046998c9d21054173a62
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded URLs, with one identified as a malicious redirector. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggests the document's content is designed to trick users into clicking malicious links under the guise of a prize or parcel delivery. The primary malicious URL identified is https://ttraff.club/wix?keyword=next+lunar+eclipse+2016, which likely leads to further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=next+lunar+eclipse+2016
    • https://static.usrfiles.com/ugd/6846fe_dfbdc3fb88484c00888d5ae0149b4df6.pdf
    • https://static.usrfiles.com/ugd/b8c837_59d6a22c28e24ac4a61b320cde793385.pdf
    • https://static.usrfiles.com/ugd/576447_bbcad4c35be84e9a9e8734d52f01bac5.pdf
    • https://static.usrfiles.com/ugd/29c71c_aacb201d9fbd4fd9a6680d5d4a53e25a.pdf
    • https://static.usrfiles.com/ugd/b8c837_db5ce2301eab471998b6d72e6d83ad04.pdf
    • https://static.usrfiles.com/ugd/a771bd_e931d7fdc89b47179abf7a8c53b32b96.pdf
    • https://static.usrfiles.com/ugd/b8c837_9243259f7f6e493eb8af06a6e2d34cd4.pdf
    • https://static.usrfiles.com/ugd/79e5df_d2b82e965cec4629948ca7ac13d3f203.pdf
    • https://static.usrfiles.com/ugd/b8c837_f453484c0fce4c15bf2363b5383b5521.pdf
    • https://cdn.shopify.com/s/files/1/0431/5139/2922/files/82728143719.pdf
    • https://cdn.shopify.com/s/files/1/0431/8062/1984/files/fozakabatosuw.pdf
    • https://cdn.shopify.com/s/files/1/0439/4778/6398/files/17330409262.pdf
    • https://static.usrfiles.com/ugd/cac9e4_2a58c262fc8145d29602785244a01226.pdf
    • https://static.usrfiles.com/ugd/7ef0dc_f2b7ff1b7ec14916b34f439607c79861.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070b7.bin
ad6c26e581082dae7e45ba2ceb4619518ee4bf3266789fa29d6e54838d1b1a90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70B7 5444 bytes
font_01_sfnt_off0000834e.bin
b88bd902113c7fbd229e4279f09c971351fc9770ef2400bf71a02e1a677b35a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x834E 10264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.