Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9641d75026d83b5…

MALICIOUS

PDF

37.9 KB Created: 2020-09-16 17:08:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 088c38741f9d3c84120a12fe077e1a88 SHA-1: 3b07ef7d553b07264869e3b26785919b0ff6665f SHA-256: b9641d75026d83b5e0301054345390da23cad8b33eb2466fe33da4d99e1cdad1
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm designed to appear as a manual for a 'leaf river game camera'. The primary embedded URL, 'https://ttraff.me/wix?keyword=leaf+river+game+camera+ir-3bu+manual', is identified as a malicious redirector. The document also contains numerous other links to PDF files hosted on filesusr.com, likely part of a SEO link farm strategy to improve search engine ranking for malicious content. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=leaf+river+game+camera+ir-3bu+manual
    • https://132fe351-a6e5-4d84-98a5-851a855cd2b5.filesusr.com/ugd/fb5067_3f68f141f37c448296e17bab68af3d03.pdf?index=true
    • https://bf79bba3-917b-4e9e-b881-b9f51c31b78f.filesusr.com/ugd/80bfa9_9db0863760d54aaa90def681cb0f5a06.pdf?index=true
    • https://d2fc18dd-71ef-45d9-96d1-dade9ecbc836.filesusr.com/ugd/d93890_0394417aa8ef42c59d0eec57afba5204.pdf?index=true
    • https://a77813ef-7c0b-4e94-886d-35b3316f5cb4.filesusr.com/ugd/8bf3fc_dbaf829492894a13a39e0a52204b184b.pdf?index=true
    • https://53f4b50f-7559-455e-b176-518cc22d645f.filesusr.com/ugd/dc8a8e_59c6a597460b46a2aa6a38c23ecc1b00.pdf?index=true
    • https://1fe9b630-f808-11ea-a328-fc4dd43d38a6.filesusr.com/ugd/2b25b5_485d793debeb45bd9250f5940c6ed34d.pdf?index=true
    • https://523332b7-d976-4cd9-ac40-2396010d4275.filesusr.com/ugd/f1780b_59aa152fad7c4b37919f003ebf37b0b7.pdf?index=true
    • https://0905199a-9085-4d43-b89e-b191c6743a44.filesusr.com/ugd/f08e01_5a527b8a038d4177a4f0f9f9030aa857.pdf?index=true
    • https://002b6cd2-2f87-43c7-a6ac-2c647ac374fd.filesusr.com/ugd/93c935_67b5e26f44214660a18f7ba8adb53739.pdf?index=true
    • https://3dd1b2c9-36a0-483e-b46c-8bac5c7e573e.filesusr.com/ugd/3225da_831b50e9f73d488db4678ea2d6e96dfc.pdf?index=true
    • https://f4e09a62-2c18-4152-9b13-054e6e768703.filesusr.com/ugd/668a47_c8d60a0d12014702bffc7bae6b4d2433.pdf?index=true
    • https://90a9d72a-93ee-45c6-b273-ffb7a9762ec8.filesusr.com/ugd/838e7e_c2181fae0e504f2f8963aad10854c5e8.pdf?index=true
    • https://93a0920e-ae5c-462b-8c60-dc83a62ed2e5.filesusr.com/ugd/9df9d6_fc5f354a1cc641299bb9a9b84104eca7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000562a.bin
9587c599c978b045d8ea253e19d42f3fe3bef3cb094c055f5c9346dec92c19e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x562A 5360 bytes
font_01_sfnt_off00006874.bin
9429e154ea8583ddc9125c668f5ff0bd89c161195cc4f405c08b58c8449cddc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6874 10112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.