Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ff81a81535083c6…

MALICIOUS

PDF

40.9 KB Created: 2020-08-31 20:38:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62a9b184ed1c037354910391f6f216a0 SHA-1: 726be9e90b86ad83954f3d3d35589340ffbcad62 SHA-256: 9ff81a81535083c66ef85689bc24e42b101d05b863ca3686df925e524b38c161
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, which points to `https://ttraff.cc/wix?keyword=create+sheet+in+excel+macro`. This URL is likely used to redirect the user to a malicious site. The document body also contains this URL and numerous other links, indicating a link farm strategy. The primary attack pattern involves luring the user to click a malicious link within the document.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=create+sheet+in+excel+macro
    • https://static.usrfiles.com/ugd/9cfd0a_c4590f36d3c84835b596ea3704cb691b.pdf
    • https://static.usrfiles.com/ugd/eb4c03_103de80a2c7e4199b63d8e607f2bfe59.pdf
    • https://static.usrfiles.com/ugd/23e9be_31181af1c0204596960c0a035632ee07.pdf
    • https://static.usrfiles.com/ugd/735189_75a8b1f7c4f944cd809310b9f8075dd7.pdf
    • https://static.usrfiles.com/ugd/3dd68e_54faf66920134073958cae27abdce764.pdf
    • https://cdn.shopify.com/s/files/1/0431/0515/7282/files/73721318875.pdf
    • https://cdn.shopify.com/s/files/1/0432/1561/8203/files/16102697696.pdf
    • https://cdn.shopify.com/s/files/1/0437/2784/7576/files/problem_solving_strategies_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/7754/1792/files/jozezogi.pdf
    • https://cdn.shopify.com/s/files/1/0463/1068/6882/files/avg_antivirus_gratis_para_celular_android.pdf
    • https://cdn.shopify.com/s/files/1/0438/0812/9185/files/corelli_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0436/6771/8309/files/cours_capteur_de_pression.pdf
    • https://cdn.shopify.com/s/files/1/0438/3460/5728/files/html_form_submit_button_size.pdf
    • https://cdn.shopify.com/s/files/1/0435/5833/8715/files/employment_contract_template_ireland.pdf
    • https://cdn.shopify.com/s/files/1/0437/7188/7767/files/57093522487.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006475.bin
43325b799921ec0dcfdd891e3a88eac77cdd543d548d8d8ffc489b7c4546ecad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6475 5012 bytes
font_01_sfnt_off0000754f.bin
e79dee3158cd1a2364631c92abf27c68ae36d94d62973b71c688005f15793119		 pdf-font-stream PDF embedded font (sfnt) at offset 0x754F 9836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.