Malicious PDF — malware analysis report

Static analysis result for SHA-256 b724af5c98957807…

MALICIOUS

PDF

40.7 KB Created: 2020-09-02 23:42:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74451ab3f92e5150b7b7feb147fcda68 SHA-1: d574a19d121d17798754cfdaaab1588a350092f1 SHA-256: b724af5c9895780701e4f8d955437ebe95a8046c76ee1d2d6b37fe61d99a77fd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic firing indicating it's a malicious redirector. One of the primary links directs to 'ttraff.com', a known malicious redirector. Another heuristic identified a PDF link farm, with the first URL pointing to 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/wix?keyword=parallelism+in+grammar+worksheets', suggesting a lure related to grammar worksheets to entice clicks.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=parallelism+in+grammar+worksheets
    • https://static.usrfiles.com/ugd/b8c837_687432d7fb5a4018b283f64ed50952c2.pdf
    • https://static.usrfiles.com/ugd/e2c250_5c731f9ee96948409e51b87084182af6.pdf
    • https://static.usrfiles.com/ugd/b8c837_dac20c1629db4edea42acf905b7e44bf.pdf
    • https://static.usrfiles.com/ugd/3e7897_ef764b5c8dce4ec681a5ed34af3063df.pdf
    • https://static.usrfiles.com/ugd/e7e4a0_f6556485b49d4b31800340ae88418669.pdf
    • https://static.usrfiles.com/ugd/26938b_d1b88eefa9544a399255c1ad69833cbd.pdf
    • https://static.usrfiles.com/ugd/19103d_5ca7d7cff2ee4bd49cd4d6cf751b05e7.pdf
    • https://static.usrfiles.com/ugd/c83fdb_126b5389cb9e4903b3a90b2b8b5d5429.pdf
    • https://static.usrfiles.com/ugd/a18aa6_ace1b2eefc794a18a7a738afd759f3f4.pdf
    • https://static.usrfiles.com/ugd/c345b0_9d4864e242374668a6777c2ffd6e310a.pdf
    • https://static.usrfiles.com/ugd/b8c837_9fc9a486b9604967a546ce3f8cd15726.pdf
    • https://static.usrfiles.com/ugd/7198c1_9b75c3d7d5414421be94e678c9209766.pdf
    • https://static.usrfiles.com/ugd/cb2bed_c835bdba17e342bbb84b7470d579a8b8.pdf
    • https://static.usrfiles.com/ugd/cf14a4_3f736a33b8984e389f97288d20538bbf.pdf
    • https://static.usrfiles.com/ugd/bfd78a_7b571d41f9fb45cfa2099836718705ba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060d8.bin
165d30eaf126dd724d6f5cf79dc0422f7adcfd9326731b9c413b7f2892e859cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60D8 5256 bytes
font_01_sfnt_off0000729d.bin
c0a6f181c713e7382e5cc8463f43c0dd6b81f1089dc96a9b17b7c52acb318d7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x729D 10368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.