Malicious PDF — malware analysis report

Static analysis result for SHA-256 a293d4555797751b…

MALICIOUS

PDF

125.1 KB Created: 2020-08-31 10:31:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ea982a6e59b04437c3d44e00ab107bc SHA-1: 3ed2686e35915ac6adfaea34d8d765d56f214e86 SHA-256: a293d4555797751ba7e9715c97ed1261e6f88e215116d7a74af76dd0c080b4f9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link and a large number of external PDF links, suggesting an SEO manipulation or link farm tactic. The primary malicious URL, 'https://ttraff.me/wix?keyword=china+birth+chart+pdf', is designed to lure users with a seemingly relevant search query. The document body is heavily obfuscated but contains this URL, reinforcing the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=china+birth+chart+pdf
    • https://static.usrfiles.com/ugd/9cb927_7853b692dc25446a928fac9e592ec03e.pdf
    • https://static.usrfiles.com/ugd/1cc7e8_3321e4de9b494852a146ab7e59d58825.pdf
    • https://static.usrfiles.com/ugd/b8c837_f0d1465147984e98a0fc0aa581cad539.pdf
    • https://static.usrfiles.com/ugd/de65f7_ad5855e5d5e947298e769027976fcce1.pdf
    • https://static.usrfiles.com/ugd/b8c837_40a2cbe2afd748799e551873f3087246.pdf
    • https://cdn.shopify.com/s/files/1/0433/8984/5654/files/49723594348.pdf
    • https://cdn.shopify.com/s/files/1/0435/9297/4499/files/turikerama.pdf
    • https://cdn.shopify.com/s/files/1/0429/8348/9687/files/bedota.pdf
    • https://cdn.shopify.com/s/files/1/0431/2327/7973/files/pelegilime.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f9fc17a04d442549d9519356a8adbaf.pdf
    • https://static.usrfiles.com/ugd/b8c837_63aad2c1a8234b43a7d25d63c193b7e7.pdf
    • https://static.usrfiles.com/ugd/c63dba_f5e26fca427d43ff9aeb08e18e9b3780.pdf
    • https://static.usrfiles.com/ugd/b8c837_d2e163d0ad8f4ade89c02e5fa1497de2.pdf
    • https://static.usrfiles.com/ugd/b8c837_72d4d373bbd24959b2e36528554b99ea.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b10f.bin
e0942b673cc01cb86eec8f71824eb4b50685cf6e681f19223a48ccd9ff90f808		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B10F 5076 bytes
font_01_sfnt_off0001c23c.bin
e7b912dcb09f7dac6ed0bd36a93cc4a8dc735657d61b903c340d4836f7b89843		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C23C 11404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.