Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1b77cdb15641499…

MALICIOUS

PDF

48.8 KB Created: 2020-08-29 21:39:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6cb3bca067dea2a3ac01a1399647d920 SHA-1: 21d0b66020c4830696ca12cf62d8eeba85382cdb SHA-256: a1b77cdb156414992daab9ec222a0e6cd6c2934333f9ec05055b0ede52017cc0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of embedded links. One critical heuristic firing indicates a PDF link to known malicious redirector infrastructure, specifically 'https://ttraff.club/wix?keyword=bdo+black+stone+farming'. Another heuristic identified a PDF link farm with numerous external links, the first of which is 'https://static.usrfiles.com/ugd/b8c837_2a92d4228df245729137bddd11933ccb.pdf'. The document body contains obfuscated text but also explicitly includes the malicious URL and several benign-looking PDF URLs, suggesting a lure or redirection mechanism.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=bdo+black+stone+farming
    • https://static.usrfiles.com/ugd/b8c837_2a92d4228df245729137bddd11933ccb.pdf
    • https://static.usrfiles.com/ugd/b8c837_bd09c383339a480bb46b21b5c0a4a224.pdf
    • https://static.usrfiles.com/ugd/b8c837_d6be4d119454488385e544be8e0be150.pdf
    • https://static.usrfiles.com/ugd/b8c837_b9a69bcc4ee8492594ddbdeac6519153.pdf
    • https://static.usrfiles.com/ugd/b8c837_edd33d551f4f421bb0b5ca9025c349b7.pdf
    • https://cdn.shopify.com/s/files/1/0431/6564/7012/files/canned_pinto_beans_nutritional_information.pdf
    • https://cdn.shopify.com/s/files/1/0434/7235/5478/files/xofus.pdf
    • https://cdn.shopify.com/s/files/1/0432/0660/7012/files/wujati.pdf
    • https://static.usrfiles.com/ugd/b8c837_1f1da4ce6619429eb17f13416e33ad5a.pdf
    • https://static.usrfiles.com/ugd/b8c837_d4c0239534bb4abcb72b5598d5bb5b29.pdf
    • https://static.usrfiles.com/ugd/856cea_348ac78607fd47b1a1edd31a17a81e74.pdf
    • https://static.usrfiles.com/ugd/69695d_58261a262a6b4de082f55da5163d5225.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008077.bin
53c28890e52044a0a80df7d70cab9322e88c388747949896680b212bffc567c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8077 5592 bytes
font_01_sfnt_off0000936b.bin
89dfdb3b2a79a3f5b385c04eb9785eed425a0c4002c1002b25cb0711ccfac70f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x936B 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.