Malicious PDF — malware analysis report

Static analysis result for SHA-256 afc83e3f0639b48f…

MALICIOUS

PDF

47.0 KB Created: 2020-09-07 00:52:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f46587a31b8ae437e9e89dd5963f096 SHA-1: 6a9e772ccd2edc545ac65c1ff4d3c1fac2353714 SHA-256: afc83e3f0639b48f4b9c38cc5000bf8800297cbdf9afd2467ecce08c84a1b0e8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=dads+worksheets+money'. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The file also exhibits characteristics of a PDF link farm, with numerous embedded links, many pointing to static.usrfiles.com. The overall intent appears to be directing the user to the malicious ttraff.club domain.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=dads+worksheets+money
    • https://static.usrfiles.com/ugd/37987b_91f3fdd265f04c97a3a8ee8235473c2d.pdf
    • https://static.usrfiles.com/ugd/dcfb95_9a9b44d654794c7d8332c8c2b2933958.pdf
    • https://static.usrfiles.com/ugd/7c3584_461cb14ad5a847b39b7998a6a62d4ac8.pdf
    • https://static.usrfiles.com/ugd/430cb2_73c229e808eb4900af67b55b98aee6cd.pdf
    • https://static.usrfiles.com/ugd/cfa91a_9e1a3fd932ac435e89051a1d7911a100.pdf
    • https://static.usrfiles.com/ugd/b8c837_4f8db4302e5f4fa99060525ba0e440dd.pdf
    • https://static.usrfiles.com/ugd/6846fe_3b5ab7982dfc4a51870e0f48763896d0.pdf
    • https://static.usrfiles.com/ugd/a2e20a_2fb29834db954d5cb2e22ddfa37227c1.pdf
    • https://cdn.shopify.com/s/files/1/0431/0820/4704/files/vagevadatukozib.pdf
    • https://cdn.shopify.com/s/files/1/0433/2158/9913/files/vubunukawol.pdf
    • https://cdn.shopify.com/s/files/1/0430/3339/5353/files/cookie_clicker_macro.pdf
    • https://cdn.shopify.com/s/files/1/0428/6975/1967/files/pichaikaran_movie_utorrent_kickass.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007477.bin
68645add8c0fca045f72ba0967fea9c4c5e99ae8a16630f35c8d402dd34b16c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7477 5288 bytes
font_01_sfnt_off00008663.bin
76ab2fa0adcba4cde5fe913b380cebd6d8b40a5e79784fc0d53b82fea888b2ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8663 12748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.