Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad95fa20668b2f70…

MALICIOUS

PDF

55.5 KB Created: 2020-08-29 21:56:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: db108e857f4613489a957cc678835330 SHA-1: c58d858a9defb966425adae0c7cdfb591dc3f3d5 SHA-256: ad95fa20668b2f70ae24ed893a169e581aaad3b93b78bf20501351df98481e01
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a lure for an advance-fee scam, indicating a fraudulent intent. It embeds a link to 'ttraff.cc', which is flagged as a malicious redirector. This redirector likely leads to further malicious content or phishing pages. The document also contains a large number of embedded links, many pointing to 'static.usrfiles.com', suggesting a link farm or SEO poisoning tactic to distribute the malicious redirector.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=henderson+ky+tempo
    • https://static.usrfiles.com/ugd/b8c837_e32925c4c4944104ad021826a9565fad.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa3f79f315344e1b9542d8b04c15f966.pdf
    • https://static.usrfiles.com/ugd/ca9b0a_37b11f3f99bc437baaecd980b6f56ed6.pdf
    • https://static.usrfiles.com/ugd/ea9bdf_85dccd285d964651bce5aead03ee3ebe.pdf
    • https://static.usrfiles.com/ugd/b8c837_06a290a14c7b4918819c938994945933.pdf
    • https://static.usrfiles.com/ugd/b8c837_9c96f03232f04614b75e5c3fb64f32f6.pdf
    • https://static.usrfiles.com/ugd/b8c837_c5457d31b2ec4059a31b98aa8781f0d3.pdf
    • https://static.usrfiles.com/ugd/b8c837_7c0f24aff7b047609dab73deaffd0e8b.pdf
    • https://static.usrfiles.com/ugd/b8c837_92d14305228349b79a9fa88ff53bf428.pdf
    • https://static.usrfiles.com/ugd/b8c837_f454b93d6fad41bc85e70e7b7c8c3dd3.pdf
    • https://static.usrfiles.com/ugd/b8c837_de9313b406d64784937543534630954f.pdf
    • https://static.usrfiles.com/ugd/b8c837_e6a1dd58cfee42ee9a569df62f8afcd9.pdf
    • https://static.usrfiles.com/ugd/b8c837_75d5d82399a74aec98401ac42c2378e0.pdf
    • https://static.usrfiles.com/ugd/b8c837_6733231724be44e0b5452b979acb5e2c.pdf
    • https://static.usrfiles.com/ugd/10e3af_15c5f45b7769422b9eabd7ae14cbd1fb.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa25e1f126944930bdbefbf180af2a56.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a2f1bb028824d18b235d7011b930a57.pdf
    • https://static.usrfiles.com/ugd/b8c837_26bb621c7d8248298c8faafd44e75198.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009aca.bin
89615b97af2b81e16fc6c15fe2d113a0859ca567c8f9cb7fee93a1bb81190db1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9ACA 4988 bytes
font_01_sfnt_off0000abb7.bin
c4aec902a498d73563eb32928fe56ad8874817dce5f27bf8c2cb343cbdf11c8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xABB7 10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.