Malicious PDF — malware analysis report

Static analysis result for SHA-256 a52f6e90c53906df…

MALICIOUS

PDF

33.9 KB Created: 2020-08-31 00:55:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b3e526d51078ed3adb543e15db76cd2 SHA-1: 4b88ae467e2eae7119079c3f6c9b9dbbe868c898 SHA-256: a52f6e90c53906df091d83409ed9cafc6890e3241af24e8321c331d10764a278
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1200 Hardware Add-in Systems

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of these links, https://ttraff.com/wix?keyword=medias+romania+pictures, is identified as a malicious redirector. This suggests the document is designed to direct users to malicious infrastructure, likely for further exploitation or phishing.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=medias+romania+pictures
    • https://static.usrfiles.com/ugd/739437_1fd1d1e4dfb44052a6ae1fad12db73ff.pdf
    • https://static.usrfiles.com/ugd/b58d21_b9cc062e031e471d9c841fe2f635e3fb.pdf
    • https://static.usrfiles.com/ugd/71fd01_0b9315d5f66340aa9d8509d75c362e8d.pdf
    • https://cdn.shopify.com/s/files/1/0435/9271/2349/files/26329405360.pdf
    • https://static.usrfiles.com/ugd/e32576_fca135aaf2a24327ad32b7425ccacc79.pdf
    • https://static.usrfiles.com/ugd/8b49c6_eab93ae0131b45c9b27e773c046d530b.pdf
    • https://static.usrfiles.com/ugd/23e9be_4705696bc2594a709ca29cc5a8cfb396.pdf
    • https://cdn.shopify.com/s/files/1/0431/3081/4626/files/git_revert_commit.pdf
    • https://cdn.shopify.com/s/files/1/0431/2236/0469/files/42278999956.pdf
    • https://cdn.shopify.com/s/files/1/0434/3758/8646/files/70734641055.pdf
    • https://cdn.shopify.com/s/files/1/0429/3401/0015/files/mezuxemafibobapebixemobak.pdf
    • https://cdn.shopify.com/s/files/1/0431/8042/5370/files/beeruva_movie_telugu_hd.pdf
    • https://www.alamy.com/licenses-and-pricing/?v=1
    • https://www.alamy.com/stock-photo-medias-is-a-town-i
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004811.bin
804e5d2d5336de57dfe4ff33f499918cd207e45cf88f59847c53734a5a6f687d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4811 5192 bytes
font_01_sfnt_off0000599f.bin
3651bb247b25ce0a5b308d2afc54c292254017950c3c64c78c5abe1cd32acbe5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x599F 9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.