Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8edf57bf604b414…

MALICIOUS

PDF

92.7 KB Created: 2020-09-05 06:24:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 77fcfe53badb0f73ab3910b63ab117ea SHA-1: 2e8d4a7f404e477bfb205368b55d9a924c8df556 SHA-256: a8edf57bf604b4142037e19b3f18c2fc11804768d73ff82307c5893e6fb8d6a8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was identified as malicious due to its inclusion of a link farm containing numerous external links. One of these links, 'https://ttraff.me/wix?keyword=learn+traditional+chinese+characters+pdf', points to a known malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The presence of a link farm and a malicious redirector indicates an attempt to drive traffic to potentially harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=learn+traditional+chinese+characters+pdf
    • https://static.usrfiles.com/ugd/b444d4_d00eacbd56f84c74b4f0046c24570710.pdf
    • https://static.usrfiles.com/ugd/b8c837_d224297b83204df286bf3ea34a045d72.pdf
    • https://static.usrfiles.com/ugd/10e3af_1882b65fc96e4a1fa65766f2e49d0eaf.pdf
    • https://static.usrfiles.com/ugd/0a052f_47a2b7773d654e148be3c0b331bd4bca.pdf
    • https://static.usrfiles.com/ugd/811c4f_93a75eb1056e40f09468541cccf8ffcd.pdf
    • https://static.usrfiles.com/ugd/9cc572_f4c2229614da4013ae2afa798a3c6088.pdf
    • https://static.usrfiles.com/ugd/e2f197_3e88c0be887242d88c400d392755e47a.pdf
    • https://static.usrfiles.com/ugd/c88839_cf4b505d9e1945ffacfcc4ad6881ecc6.pdf
    • https://static.usrfiles.com/ugd/90c678_69b5a18f66e84bbd89760076a029a074.pdf
    • https://static.usrfiles.com/ugd/5c7528_a33cf8d26d2a4f29ad9c1ea1e8e08a71.pdf
    • https://static.usrfiles.com/ugd/6cf0f5_3218fda6a1a74575a35fd6b8014b8dc6.pdf
    • https://static.usrfiles.com/ugd/33a16d_7b852d2bf2454b42bba31f1a7ff81c22.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a647.bin
66bb85afd93bc41fed9dcb57a14de99abd97e5cfc06ed50be768723a11f86491		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA647 42436 bytes
font_01_sfnt_off00012621.bin
4e81008279061661178340792f0d46fe1bb0e3ac4911e4ff7286a17068e3ee94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12621 5184 bytes
font_02_sfnt_off000137c1.bin
cb33eabebf2d72e3294c14756c8e5d0fd31dd6b314d3fab3b509128775cfc30e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137C1 15120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.