Malicious PDF — malware analysis report

Static analysis result for SHA-256 a717a9e9d142e3aa…

MALICIOUS

PDF

40.7 KB Created: 2020-09-01 20:32:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ad1d8981cd73578f0d0f1730740c587 SHA-1: d71689e888b05e72ef58912ccbac90966ebada1b SHA-256: a717a9e9d142e3aa01e1aba44ab5dc9512820c9ebb20cbd66e50edc8e7bb59ab
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.club/wix?keyword=local+travel+guide+japan'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, many of which point to 'static.usrfiles.com'. The document body, though heavily obfuscated, appears to contain the same malicious URL. This suggests a social engineering lure to drive traffic to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=local+travel+guide+japan
    • https://static.usrfiles.com/ugd/b8c837_19bf628f17bd479e96ab3a433509fdc4.pdf
    • https://static.usrfiles.com/ugd/031dda_a083037d451f403bb6e16a89cdcdc73a.pdf
    • https://static.usrfiles.com/ugd/6d59ab_f7ffd587b82445d598a75c232d764f7a.pdf
    • https://static.usrfiles.com/ugd/238140_10d4742f61ea4535947f1827e6fdeb0f.pdf
    • https://static.usrfiles.com/ugd/b8c837_a5d7dc1cfffc4c32bd88f0a002258f45.pdf
    • https://static.usrfiles.com/ugd/74c34a_ccfdf9cd3f9841cba2b3fbbfcaa708de.pdf
    • https://static.usrfiles.com/ugd/04c368_f85ce68507484cb18152fdf101df5974.pdf
    • https://static.usrfiles.com/ugd/bd5c68_c9c5d8fb5498487482c40a66d7d9dc6a.pdf
    • https://static.usrfiles.com/ugd/f99735_ee2022ac65814442a9653a30b5bbde1e.pdf
    • https://cdn.shopify.com/s/files/1/0432/5556/2402/files/ruxuwovus.pdf
    • https://cdn.shopify.com/s/files/1/0437/4996/5985/files/12545640870.pdf
    • https://static.usrfiles.com/ugd/b8c837_96a059437a0649ac9aaf8f377b63c9d4.pdf
    • https://static.usrfiles.com/ugd/b8c837_d8405a7a87514521a8b6e3a1fa891439.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006183.bin
760230f59e539d56ad8dee92ce665a6a1f18fa8dc983e229eab3638e667cfb7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6183 5140 bytes
font_01_sfnt_off0000731d.bin
011b5ea3662dd5b65ffd3c25fa2600cf2f8bdd34cf0c8493961a18ba203d8c5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x731D 10252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.