Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5d45dba4681f512…

MALICIOUS

PDF

66.7 KB Created: 2020-08-30 06:28:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f189a34fa997941f64e9d2bd0e94516 SHA-1: b2aff59638fd61a23e75b767273d32a6d55840ca SHA-256: a5d45dba4681f512908a3a5edf4dbec8c219f985173dffab6dd547d420e0f6fc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.club, which is likely intended to lead the user to a phishing or malware distribution site. The document body, though heavily obfuscated, contains the same URL. The presence of a link farm further suggests malicious intent, aiming to increase visibility or distribute malicious content through multiple linked PDFs.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=cost+accounting+horngren
    • https://static.usrfiles.com/ugd/e5cbe5_40f7aecc4e074c2eb92dbfb6d7a999cb.pdf
    • https://static.usrfiles.com/ugd/b8c837_20e9b76d67f040d0ae4bcbbd3b4ace65.pdf
    • https://static.usrfiles.com/ugd/e73fea_9b8c2ee7d86e44038c702d454d211197.pdf
    • https://static.usrfiles.com/ugd/b8c837_c4a1883c5e7a42648fcf9bd8cf3c0d4a.pdf
    • https://static.usrfiles.com/ugd/b8c837_821b45cd8966440ba66dbcaf78623e81.pdf
    • https://static.usrfiles.com/ugd/b8c837_c59f01c313944bd89b6c6d5c60b9c983.pdf
    • https://static.usrfiles.com/ugd/b8c837_f139695ee2484889a870e9f9d6725a17.pdf
    • https://static.usrfiles.com/ugd/158fb9_f9b60cd238204e7bb290cb5b47f394c3.pdf
    • https://static.usrfiles.com/ugd/b8c837_d51f0409b5254051a863753429337874.pdf
    • https://static.usrfiles.com/ugd/b8c837_9de4dfa3c6964f938a672be2f94dec18.pdf
    • https://static.usrfiles.com/ugd/b8c837_07d2ac8a94c74a2587d872b3ca4f266b.pdf
    • https://static.usrfiles.com/ugd/b8c837_0b7039da0d7347e782c7dc53500da723.pdf
    • https://static.usrfiles.com/ugd/90423f_0358ca1124d64ec689c31c27281c6ce5.pdf
    • https://static.usrfiles.com/ugd/bb13a2_ab50d8da270a439ca081549b33594b90.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000d4f4.bin
e5cee7dc1facc9329f15325a02de51f21ae455c6b1ab7f4576f89b579bde205b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD4F4 22360 bytes
font_00_sfnt_off00009e9f.bin
c40697fd38bbd5db7383653a08755491d5911e91f6cdd3210941dd9237df1749		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E9F 4932 bytes
font_01_sfnt_off0000af5a.bin
3777eec8ca3f318dfd40ce6d17e216ef4ca5a96c1ac3910b284d0e96447c67f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF5A 11164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.