Malicious PDF — malware analysis report

Static analysis result for SHA-256 a60e0bb8526b844c…

MALICIOUS

PDF

36.6 KB Created: 2020-08-30 07:51:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3fa2fa47beec52879c445c25ef480d0c SHA-1: ab8f3e5d7564110765787f630c55f5e580963668 SHA-256: a60e0bb8526b844cf63043fb4027e14c1fcee976b38a93bc7907e361088f8b06
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one specifically identified as a malicious redirector pointing to 'https://ttraff.com/wix?keyword=challenge+of+democracy+janda'. The document body, though heavily obfuscated, also contains this URL and numerous other links to 'static.usrfiles.com', suggesting a link farm or redirection strategy. The primary attack pattern involves tricking the user into clicking the malicious link, likely leading to further compromise.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=challenge+of+democracy+janda
    • https://static.usrfiles.com/ugd/b8c837_442a99682b674e5989cf22ddb6f6c15f.pdf
    • https://static.usrfiles.com/ugd/b8c837_9f8591c6e2084a909003fe2ca208d870.pdf
    • https://static.usrfiles.com/ugd/79cb75_ccc5f3f40b304c96ade856434e1f3c4e.pdf
    • https://static.usrfiles.com/ugd/0df15e_71d6576dbd9f4cc68670271dd5f723b8.pdf
    • https://static.usrfiles.com/ugd/f55bec_a6d9c70e275d47cc954e7a872bd779d4.pdf
    • https://static.usrfiles.com/ugd/f523c3_1a216a7146994d6bbc4b7552d896e854.pdf
    • https://static.usrfiles.com/ugd/b8c837_582e8594b21e426ab2e43ed936f35e88.pdf
    • https://static.usrfiles.com/ugd/a18aa6_fc830e58fbea4190aa1e8c28189aa3dd.pdf
    • https://static.usrfiles.com/ugd/3aca14_10f55ff583674d68b83a0d442b90f52d.pdf
    • https://static.usrfiles.com/ugd/b8c837_614a9fbf0c054cf2897bdc359360e45d.pdf
    • https://static.usrfiles.com/ugd/314c35_3f07494409d64dc78e16b14b34ca2cda.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000514d.bin
67148391dfc5c3bf1178b9bb79ad8774c9f496b0ffd684b460a03f76f0c9592e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x514D 5340 bytes
font_01_sfnt_off00006358.bin
62e0a7c66e781c53c0381003a9cd06d7e2116cec5c64c44037097fff8eca6ac0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6358 10160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.