Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e9d7d5a7a0c4e7d…

MALICIOUS

PDF

49.8 KB Created: 2020-08-31 23:54:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41d02db9d5577804abb8773e1563dbd2 SHA-1: 2f601c75ac2b65fbb088c85912b8a2d44fe047a6 SHA-256: 9e9d7d5a7a0c4e7dcbf757bfb7a159c3989f4cd03f5fd6136ddebc1dc5d42453
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was identified as malicious due to a critical heuristic firing for a malicious redirector link. It also contains a large number of embedded external links, suggesting a link farm for SEO manipulation or to distribute malicious content. The primary malicious URL identified is 'https://ttraff.link/wix?keyword=freedom+trail+guide+free', which is likely used to redirect users to a further malicious destination. The document body contains garbled text but also includes the same malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=freedom+trail+guide+free
    • https://static.usrfiles.com/ugd/02beb7_63136a8b14bf4b4b8eb9f076bb9b2796.pdf
    • https://static.usrfiles.com/ugd/ef7b09_2790a963120b496c91f93483a73d3aea.pdf
    • https://static.usrfiles.com/ugd/b8c837_b1b6dd5e34a34c318935621fec93e880.pdf
    • https://static.usrfiles.com/ugd/b8c837_044e78700e9f47cb857e1dc0d1e58284.pdf
    • https://static.usrfiles.com/ugd/dd4472_e86f47c1125b4e718d687c7f4ff6a43e.pdf
    • https://cdn.shopify.com/s/files/1/0433/9793/9349/files/jafuvozisinuvo.pdf
    • https://cdn.shopify.com/s/files/1/0433/7339/6133/files/pusonadigenejometut.pdf
    • https://cdn.shopify.com/s/files/1/0428/7175/0822/files/jadixaramuzesufupuve.pdf
    • https://cdn.shopify.com/s/files/1/0431/6237/0210/files/juraxejaxivelewelolemo.pdf
    • https://static.usrfiles.com/ugd/02beb7_7168f11f019e493594587ded0d737e7b.pdf
    • https://static.usrfiles.com/ugd/289c5e_35befb967f0c4acb96cae073095c564d.pdf
    • https://static.usrfiles.com/ugd/b8c837_0e273e18c1004126acd85c1c5cee17c8.pdf
    • https://static.usrfiles.com/ugd/b8c837_fba0567a109a46a6868974efd7aa2b5e.pdf
    • https://static.usrfiles.com/ugd/b8c837_2f54dcd7a6aa41818db7af5c9f301ed3.pdf
    • https://static.usrfiles.com/ugd/b8c837_f81ec92353d142749aa3b758d9117697.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000084bb.bin
17e6f1f366c5c1ac899b2c972043501057c66e593145380984f2557b48e64c21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84BB 5004 bytes
font_01_sfnt_off000095aa.bin
64895ebf65f91c7d7aea982b32bb8f4c3273ca3bc60b56190109f0c28cc3c1fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95AA 10676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.