Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c672e7fb1c77c5e…

MALICIOUS

PDF

43.1 KB Created: 2020-09-01 05:27:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e7d06902ffdc5ec8d9183b711ec858e SHA-1: df2505f58a1627144e35e7857aa888addd76a3af SHA-256: 9c672e7fb1c77c5eb25e1936ebb4e05567d542e03626c263767aaf482bc89689
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=how+to+group+cells+in+excel+sheet'. The document body, though heavily obfuscated, contains text related to grouping cells in Excel, suggesting a lure. The PDF also contains a large number of embedded links, many of which point to 'static.usrfiles.com', indicating a link farm. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=how+to+group+cells+in+excel+sheet
    • https://static.usrfiles.com/ugd/a6e5e9_7ad714eadfd9489d9a3e939ae6fb53de.pdf
    • https://static.usrfiles.com/ugd/b50c55_ee21f661081447b18253ffaf99ee764d.pdf
    • https://static.usrfiles.com/ugd/cec570_305f58fadb904f599805ce9fb69e19e0.pdf
    • https://static.usrfiles.com/ugd/b8c837_7746f27624a447689928a2356cdaa579.pdf
    • https://static.usrfiles.com/ugd/cb5dea_e54987278e3342ddbe01c7e00a516abb.pdf
    • https://cdn.shopify.com/s/files/1/0428/7689/5398/files/rofat.pdf
    • https://cdn.shopify.com/s/files/1/0434/7245/3797/files/21621434203.pdf
    • https://cdn.shopify.com/s/files/1/0433/9495/7466/files/44867498721.pdf
    • https://static.usrfiles.com/ugd/74a852_b741b9628f7b4b64bdbc2d9bf23842ba.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_9afef04cb91f42d3a6ed9938cb2dc9b4.pdf
    • https://static.usrfiles.com/ugd/b8c837_c59f6c0eb37742cda4586de8e5ae4a8a.pdf
    • https://static.usrfiles.com/ugd/b8c837_255cab9218ea446897b28ca64baf0d1b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a71.bin
a9ffb94ea871a1be2301767f5b2f5755fa57da99dfaaaa3fe4d5c802f7c6c070		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A71 5104 bytes
font_01_sfnt_off00007be9.bin
cd6964874cdee7ccb753215f20028715d72aba4781e772ee33d85e1420baeb3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BE9 10540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.