Malicious PDF — malware analysis report

Static analysis result for SHA-256 b67ffb897bb2454b…

MALICIOUS

PDF

41.6 KB Created: 2020-08-31 08:01:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f2972df84a805cc1aed54363de339ef SHA-1: 3c33e7d37e5aaa89524fbe85f81e12ca8279ffed SHA-256: b67ffb897bb2454bfd437672b597794d603277b6afa6305de284dd399b3abf39
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=leawo+bluray+copy'. Additionally, it exhibits characteristics of a PDF SEO link farm, embedding numerous external links, one of which is 'https://static.usrfiles.com/ugd/f55bec_4792a813c173437cbdb591a2ccde661b.pdf'. The document body, though heavily obfuscated, also contains the malicious redirector URL. These factors strongly suggest the PDF's purpose is to lure users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=leawo+bluray+copy
    • https://static.usrfiles.com/ugd/f55bec_4792a813c173437cbdb591a2ccde661b.pdf
    • https://static.usrfiles.com/ugd/52b593_f071266d78024385915c34684836c2c7.pdf
    • https://static.usrfiles.com/ugd/6a7407_e26cfe94ee4b4bc9a659d85b61219f23.pdf
    • https://static.usrfiles.com/ugd/b8c837_4a9d8c3bd2f34959b9573af6e6a70b68.pdf
    • https://cdn.shopify.com/s/files/1/0433/2208/1448/files/51347168298.pdf
    • https://cdn.shopify.com/s/files/1/0429/9168/1699/files/66004986478.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/55628578329.pdf
    • https://static.usrfiles.com/ugd/277b62_9c9f5fc2634444e59f3d7a33ae1a4637.pdf
    • https://static.usrfiles.com/ugd/b8c837_4d47cced563b4c91b7c6e1833c6d57c7.pdf
    • https://static.usrfiles.com/ugd/89064d_5e671675e86c48c1bb7d7a0c9c732d5a.pdf
    • https://static.usrfiles.com/ugd/735189_d36d19e6749c447880720f7aaa0f4f4a.pdf
    • https://cdn.shopify.com/s/files/1/0430/5167/9893/files/xunoguxonabapara.pdf
    • https://cdn.shopify.com/s/files/1/0435/3864/5144/files/jisukuwuwamiziwo.pdf
    • https://cdn.shopify.com/s/files/1/0435/3071/5295/files/76034944488.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f6d.bin
213120ef940159543e360e7cfa26ec635b3e0da75139290ee6ae598593771084		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F6D 5024 bytes
font_01_sfnt_off000070af.bin
e711d9b2ff0282ed10b7a3d0f038fa38cfd790e20712b1e7ab1792ddc32c001f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70AF 12992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.