Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3803054eb535536…

MALICIOUS

PDF

35.9 KB Created: 2020-08-29 11:48:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 590e4e5a5f508e694d8081da853a058f SHA-1: 7905cb2f7157991ac7103e3c5a573e7b4e8ec219 SHA-256: a3803054eb53553602d574e00deaeaa7a1ef637492fa26f1f62a8f94f2692b17
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used to create link farms for SEO poisoning or to distribute malicious content. One of the embedded URLs, https://ttraff.com/wix?keyword=altsaxophon+noten+pdf, is identified as a known malicious redirector. The document body, though heavily obfuscated, contains references to this URL and other PDF files hosted on static.usrfiles.com. This suggests a phishing or malware distribution attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=altsaxophon+noten+pdf
    • https://static.usrfiles.com/ugd/b8c837_893dac0340ab4e1f8b41f172dcd4a74f.pdf
    • https://static.usrfiles.com/ugd/b8c837_64ff54eb1c6c43e0a006ccc99c6f5e33.pdf
    • https://static.usrfiles.com/ugd/b8c837_3965226ac8f9493e9a7333be8078ceb5.pdf
    • https://cdn.shopify.com/s/files/1/0435/1826/3448/files/45667024558.pdf
    • https://cdn.shopify.com/s/files/1/0436/4887/6697/files/13694326338.pdf
    • https://cdn.shopify.com/s/files/1/0431/6895/6565/files/dxo_photolab_torrent_download.pdf
    • https://static.usrfiles.com/ugd/b8c837_96f1f79f01ab40d9b0803742480f2cd7.pdf
    • https://static.usrfiles.com/ugd/c836c3_2ec2ab5d2bb3470599f87ff65341cc5c.pdf
    • https://static.usrfiles.com/ugd/b8c837_6212f1430b58437d84a577fc1e1c08ef.pdf
    • https://static.usrfiles.com/ugd/b8c837_46727d6a9e3a44e880657e6f3428764c.pdf
    • https://static.usrfiles.com/ugd/b8c837_55c95d7425094209b1bd0b0057209363.pdf
    • https://static.usrfiles.com/ugd/b8c837_6a6f665af5514b05b9e37e5f8a6aa20c.pdf
    • https://static.usrfiles.com/ugd/b8c837_3020995e824d418eba3eec8f8e0e8417.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000508b.bin
a66551c37d55399712248db635dad8bf2d59f87b80c87a6a50682aa50961c33f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x508B 5092 bytes
font_01_sfnt_off000061d5.bin
911a318da0d79ec5d1f566b5c7208b6648aae758d6d9d6f8dd4aa8700c073509		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61D5 9492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.