Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8da49252b494235…

MALICIOUS

PDF

41.6 KB Created: 2020-08-30 02:39:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63c6d91b40f8a8f69d62d1de27ed5ae0 SHA-1: fd3fafa0612e8fbb4e0eff40d686b0f28fab834d SHA-256: b8da49252b494235de78d7c6a5b94c25f05645cc3ddac78dd6bbe7f865e8f014
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing indicating a malicious redirector link. This link, 'https://ttraff.cc/wix?keyword=bootleg+L%25C3%25BCcke+Golfplatz+scorecard', is likely the primary mechanism for delivering a malicious payload or leading the user to a phishing page. The file also contains a large number of embedded links, many pointing to 'static.usrfiles.com', which is flagged as a link farm, further suggesting a malicious intent to distribute content or redirect users.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=bootleg+L%25C3%25BCcke+Golfplatz+scorecard
    • https://static.usrfiles.com/ugd/b8c837_1d08ac3d725a4921b691155fbd84b27f.pdf
    • https://static.usrfiles.com/ugd/3fc21f_3590d618c7404fa8a5c379a17bf7f3de.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_95e6c8197e974c34baebfb6dfb309dee.pdf
    • https://static.usrfiles.com/ugd/ae15ca_9abdc9e3e2564412bbce433a4c3c2551.pdf
    • https://static.usrfiles.com/ugd/b8c837_eae511e1d280401e82e865bf8488f0b6.pdf
    • https://static.usrfiles.com/ugd/b8c837_54174a709f984c2095b8e28430d22a9e.pdf
    • https://static.usrfiles.com/ugd/b8c837_0680102c75d64b889e4aaa0fcce7aad8.pdf
    • https://static.usrfiles.com/ugd/b8c837_b65c760b31a648a095036790a0873184.pdf
    • https://static.usrfiles.com/ugd/735189_451c040bd8fd494cb66a3d4e40acd6df.pdf
    • https://static.usrfiles.com/ugd/e4ff69_183fe7ae2833415ea7a79bea2eaa77c3.pdf
    • https://static.usrfiles.com/ugd/dd4472_7cff0c9d2e2e4f51a6e470464928c69f.pdf
    • https://cdn.shopify.com/s/files/1/0431/6954/6395/files/gungeon_omega_bullets.pdf
    • https://cdn.shopify.com/s/files/1/0431/7249/5519/files/14966060508.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005caa.bin
e64ecb33c2c51e59c6b1f29ebda101280f9a860183274bcd9bcf38f9c52a260b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CAA 5768 bytes
font_01_sfnt_off0000704f.bin
79cb1b819fb210c08fb4c6bf08683c7bd8559c27d9f6fc2327227296be05c126		 pdf-font-stream PDF embedded font (sfnt) at offset 0x704F 12168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.