Malicious PDF — malware analysis report

Static analysis result for SHA-256 a102f3fbc5bb28f9…

MALICIOUS

PDF

41.8 KB Created: 2020-08-29 01:21:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7fab2b5d3da2838ae7a66cfd632434d6 SHA-1: bd6c45b9fbb265cca67b92ecb129e8be3aec1d6c SHA-256: a102f3fbc5bb28f9626c3890945517bf5bcab294e1f0980bf8d0fb5951f46a4b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is likely used to host further malicious content or phishing pages. The document body, though heavily obfuscated, contains text related to 'Pioneer vsx-522-k price' and references wkhtmltopdf, suggesting a lure to a fake product page or scam. The presence of a large number of embedded links to static.usrfiles.com, while individually benign, contributes to the overall SEO spamming nature of the PDF.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=pioneer+vsx-522-k+price
    • https://static.usrfiles.com/ugd/b8c837_5c78c70fad444852a6a9f32005c4f8f0.pdf
    • https://static.usrfiles.com/ugd/b8c837_39031162c1a244c890e29b41318ea892.pdf
    • https://static.usrfiles.com/ugd/b8c837_6ca9ee3b85aa4b28a40204dbd0cb6a60.pdf
    • https://static.usrfiles.com/ugd/b8c837_f49eabad86f048a197efaeb994fdb866.pdf
    • https://static.usrfiles.com/ugd/b8c837_5a8c5136b98347979ff627a5ad2814d8.pdf
    • https://static.usrfiles.com/ugd/b8c837_47371dc6359d40d0924dcae8275cf18a.pdf
    • https://static.usrfiles.com/ugd/b8c837_70e854ce6a3d4db89aedaaf136a267a3.pdf
    • https://static.usrfiles.com/ugd/b8c837_8f6e69020c294561b7007165e3df0ad9.pdf
    • https://static.usrfiles.com/ugd/b8c837_ade0280e59a54ff292712a7ad4f13686.pdf
    • https://static.usrfiles.com/ugd/b8c837_c96272b370dc4e5f98cf418d801f244d.pdf
    • https://static.usrfiles.com/ugd/b8c837_273f057a034d4f53a9ffdfa2c6cd3527.pdf
    • https://static.usrfiles.com/ugd/b8c837_1e8281d17f484757a0ac67e31cd9e44d.pdf
    • https://static.usrfiles.com/ugd/b8c837_1fdd3a5c605f4d6ab4e58f6f2fa293d4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064a3.bin
dc38e26e7d62c11f835174d4df696409557ee87f26c1fb2fdf5c25870abdf695		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64A3 5168 bytes
font_01_sfnt_off0000765f.bin
712277f4f6cfe3fd1567a95a164bb6c5a343d24a3cc3cea1b4793da2cfe78364		 pdf-font-stream PDF embedded font (sfnt) at offset 0x765F 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.