Malicious PDF — malware analysis report

Static analysis result for SHA-256 9db5bd515b85a914…

MALICIOUS

PDF

100.6 KB Created: 2020-09-10 17:57:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5282507babcefb1610a1463a7a673c58 SHA-1: 6493ae098e4a18d2e46b8ea25e4805ce27e0a2b9 SHA-256: 9db5bd515b85a91432f194f568f341d788dc16b2160ac97a95532cee1902fa3f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. This URL is part of a link farm strategy, as indicated by the 'PDF_SEO_LINK_FARM' heuristic, which attempts to distribute malicious content across numerous PDF files. The document body, though heavily obfuscated, contains the same lure text as the redirector URL, suggesting a social engineering attempt to trick users into downloading further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=fumetti%20marvel%20pdf
    • http://zilefu.beechcheerleading.com/uploads/1/3/1/4/131406827/xilezoj-disonimakovabu.pdf
    • http://xadev.orbitalhoops.com/uploads/1/3/1/4/131406149/6301361.pdf
    • http://files.kiberacreativearts.org/uploads/1/3/1/4/131407887/3f3e8559b3.pdf
    • http://files.thekors.com/uploads/1/3/1/3/131383838/8306c1032.pdf
    • https://static.usrfiles.com/ugd/a42eed_07d6586222ba4b7f9b0566ec8e6abf86.pdf
    • https://static.usrfiles.com/ugd/4e6dd5_be6c475586a54ee8993668948cd5c918.pdf
    • https://static.usrfiles.com/ugd/8ab72e_e693c1be905b48c4b7aaef40fb5dcfaf.pdf
    • https://static.usrfiles.com/ugd/b8c837_5dcae4164ff048098c3bca6deaa0c01d.pdf
    • https://static.usrfiles.com/ugd/c88839_109adb29c4324a1dacad81c2163794d9.pdf
    • https://static.usrfiles.com/ugd/ca32a8_7681c9dbd98b4fd7804835dbdae8313e.pdf
    • https://static.usrfiles.com/ugd/7603ae_912bd7986cc24594978d2d5e39813fbd.pdf
    • https://static.usrfiles.com/ugd/8e66a5_3c72a1c1f4804a63ad2b454b4ef557b0.pdf
    • https://static.usrfiles.com/ugd/87ad98_06d788b283a0497095bd0b937576c61a.pdf
    • https://static.usrfiles.com/ugd/68ec51_20b6903c164444098056f09d7bfdf4da.pdf
    • https://static.usrfiles.com/ugd/41f880_9c56ccbd769247bbbf2b9a1523b3aeff.pdf
    • https://static.usrfiles.com/ugd/bfd504_bfc769bf255a4b4f8807c23d0f65fc07.pdf
    • https://static.usrfiles.com/ugd/370ea2_e75f074bf27640e182fdf97962b85941.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014336.bin
95876b91892da93bbf65687754575e0c5fd8b944d22fc66f2202a9fc6ad793e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14336 5024 bytes
font_01_sfnt_off00015441.bin
5aac643eaee22f79db4ddb1141dfe89a5056cb2d494d77c19a16cc3303aee00a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15441 15536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.