Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f1ee3753f75ee85…

MALICIOUS

PDF

40.2 KB Created: 2020-09-06 05:05:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 645da09fdb3f18ee3f0d4ed982a18950 SHA-1: 6e9471a3e50307afd418d586b4737186b8473ba7 SHA-256: 9f1ee3753f75ee853250aab99f302e27b5f9286092be06a23c25e673f0706430
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a malicious redirector link and a large number of links to external PDFs, likely for SEO poisoning or to host further malicious content. The document body text, though garbled, suggests a lure to install a browser extension or update. The primary malicious URL identified is https://ttraff.me/wix?keyword=streaming+video+er+firefox+addon, which is flagged as a malicious redirector.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=streaming+video+er+firefox+addon
    • https://static.usrfiles.com/ugd/20d83a_a3dc123f1bac47b797967072d7ca038a.pdf
    • https://static.usrfiles.com/ugd/bcd086_6261b0608e0f480d9897798d98360116.pdf
    • https://static.usrfiles.com/ugd/9e53d4_963b3d68948d43c4831f49ff1667d9d8.pdf
    • https://static.usrfiles.com/ugd/d1d005_cd984c42354544d6b47920edd84dd067.pdf
    • https://static.usrfiles.com/ugd/1cc777_f11f825e4dbb4825b34e4e6b644bc8fc.pdf
    • https://static.usrfiles.com/ugd/374ce0_6682a046032a4abd97c35a9bc5413a7e.pdf
    • https://static.usrfiles.com/ugd/b8c837_179fd8786ac64f2db5de0ab89a31cd27.pdf
    • https://static.usrfiles.com/ugd/f65518_9f68c6ae767f4541b18f42dc7f4ecc87.pdf
    • https://static.usrfiles.com/ugd/87b9a8_f252c436aa594a37b0ef5f0484f88d8e.pdf
    • https://static.usrfiles.com/ugd/02beb7_7ce3ed57a8b4466b9b10579db062c654.pdf
    • https://static.usrfiles.com/ugd/3ceeb9_e878bc0d7a0a462e8c7a0bf49e79afc5.pdf
    • https://static.usrfiles.com/ugd/cec570_ac37b85b1c074cb39f9a8d40fa18ecfe.pdf
    • https://static.usrfiles.com/ugd/d38238_96e68d60276d4c30b50cfceea12534c5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ec6.bin
32eed5a65b070981c1e6eff558d10901edd2e07f799f7928760c543bf0ecf20a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EC6 5248 bytes
font_01_sfnt_off0000709a.bin
fc7d4d29c45315def97caf229221ded99d9cb0a6ea420aada80111f34be40796		 pdf-font-stream PDF embedded font (sfnt) at offset 0x709A 10356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.