Malicious PDF — malware analysis report

Static analysis result for SHA-256 a71cd8c7cdaa2ed3…

MALICIOUS

PDF

44.1 KB Created: 2020-08-31 04:47:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41baa8cc12ac6274fc80311526a6b4e1 SHA-1: c5483e086d8031b811680fda840dc2b0c3f6f0f0 SHA-256: a71cd8c7cdaa2ed3bddb98355fae1647cbe5ff47138380d6ce1df63221a26e4a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=wubbzy+amazing+adventure'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links to other PDF documents hosted on static.usrfiles.com. The document body contains garbled text but includes the malicious URL, suggesting a lure to external content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=wubbzy+amazing+adventure
    • https://static.usrfiles.com/ugd/c162b3_dbe48b1904af4096b991f95751e8dc6e.pdf
    • https://static.usrfiles.com/ugd/bb13a2_7f1c0a28883a4a4ea16d8286d62bcf2f.pdf
    • https://static.usrfiles.com/ugd/7baf93_7334d90163dc40bcae6e138efd653a79.pdf
    • https://static.usrfiles.com/ugd/ecec20_b406fde89eca429086e256a8dadf000b.pdf
    • https://static.usrfiles.com/ugd/253000_7fb55c10d9c24a3f875c596641a96289.pdf
    • https://cdn.shopify.com/s/files/1/0435/6535/1071/files/christian_boy_baby_names_in_tamil.pdf
    • https://cdn.shopify.com/s/files/1/0432/6742/4416/files/el_realismo_magico_en_cien_aos_de_soledad.pdf
    • https://static.usrfiles.com/ugd/c75f60_3fa01046c6414503bc4211a8ad5c27b1.pdf
    • https://static.usrfiles.com/ugd/906e9f_b455d7931fc64793981a294197a518be.pdf
    • https://static.usrfiles.com/ugd/0d9a50_39e3d8daaa1d4a07b5cc9972cb22de22.pdf
    • https://static.usrfiles.com/ugd/b8c837_0f3b9c2cb1cd470db88665cd18bc7821.pdf
    • https://static.usrfiles.com/ugd/b8c837_022441e0a6994c79b7f1fd4cfe042bb1.pdf
    • https://static.usrfiles.com/ugd/db1da1_0e4ad60dfbce46b2b15feecc6214b9dc.pdf
    • https://static.usrfiles.com/ugd/de65f7_bd8ec3f586c34f79a54047dce112c64d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000603b.bin
e1c0bbcba0514d819d346dbf03e091a7475f33068f3992a2bcf3be42795a268f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x603B 5072 bytes
font_01_sfnt_off00007176.bin
09af4e9e342c6d34b5c499677b7691a14a4bf1a177080fc3581a14d42ddff7e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7176 11004 bytes
font_02_sfnt_off000095a8.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95A8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.