Malicious PDF — malware analysis report

Static analysis result for SHA-256 b42ebf14c50aa80a…

MALICIOUS

PDF

41.9 KB Created: 2020-08-31 09:29:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4cc61d45df63780a741851f6d799d57f SHA-1: 0c9cb8bba0ccb92fa3dd54414e71ef16a997fd11 SHA-256: b42ebf14c50aa80a5706319b0cb26640ea01dede664f26fd0910c8149de72299
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, a technique often used to redirect users to malicious websites. One such link, 'https://ttraff.com/wix?keyword=distribucion+muestral+de+proporcione', is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL and other links pointing to a large number of PDFs hosted on 'static.usrfiles.com', suggesting a link farm or SEO poisoning attempt to lure victims. No scripts were extracted, but the primary attack vector appears to be social engineering via malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=distribucion+muestral+de+proporcione
    • https://static.usrfiles.com/ugd/895bef_7640c0f7d05f47a680d7f3329a22541a.pdf
    • https://static.usrfiles.com/ugd/ca32a8_31a7ad7550474773a5438c08afca26ac.pdf
    • https://static.usrfiles.com/ugd/77941b_d28d52d034034e819e1a43b83942ce25.pdf
    • https://static.usrfiles.com/ugd/b8c837_77c975ca356f4feab207798eb7a5a9c0.pdf
    • https://cdn.shopify.com/s/files/1/0436/0008/5160/files/distribuio_de_binomial.pdf
    • https://static.usrfiles.com/ugd/b8c837_fe8c231f58e4478fa6e538adaf562164.pdf
    • https://static.usrfiles.com/ugd/9b33c5_acc0bd81ef704ff3aaa17a7c3b05f23d.pdf
    • https://static.usrfiles.com/ugd/902d29_c0fbc5eb1cda4a6498090b426556e931.pdf
    • https://static.usrfiles.com/ugd/9904c2_846a55c5542a4347bb90f06b42270607.pdf
    • https://static.usrfiles.com/ugd/b8c837_29b0faa7fe7f46a59861ac64290e4320.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_b872323da45741e883cf9e15fbf342f2.pdf
    • https://static.usrfiles.com/ugd/b8c837_acd2b21d711d485d93ff7233026187c3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062be.bin
aab383a38f38db1c6c563f34465bedf57b1ecd57d38c14ef24364ef78c3b0d35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62BE 5356 bytes
font_01_sfnt_off000074ce.bin
3482edaed49f5ae61bf83250e51bc1887ed05241d042856d016fee7935f9d724		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74CE 11596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.