Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba941bbb4be6d043…

MALICIOUS

PDF

46.3 KB Created: 2020-09-07 03:12:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73d0ba0fc5f45c4f51d9ecfb0d5d9bdd SHA-1: 79e8aa128be4dc4138ca5184fbd0dd425f18004b SHA-256: ba941bbb4be6d043c4609b53bd92c7f3e16eb90533f0e3dd63af3a4cd2148da1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.club/wix?keyword=booth+algorithm+pdf'. This indicates an attempt to direct users to a malicious site. The document body, though heavily obfuscated, contains references to the same URL and other URLs hosted on Shopify and static.usrfiles.com, suggesting a link farm or redirection strategy. The presence of multiple PDF links further supports the link farm heuristic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=booth+algorithm+pdf
    • https://cdn.shopify.com/s/files/1/0467/5852/7139/files/exhibitor_list.pdf
    • https://cdn.shopify.com/s/files/1/0428/4622/4551/files/4750943217.pdf
    • https://cdn.shopify.com/s/files/1/0431/3514/0007/files/81175334032.pdf
    • https://static.usrfiles.com/ugd/10b11f_35ba00ac8ade4763ab22a9af3eda06cd.pdf
    • https://static.usrfiles.com/ugd/accd1f_d21f9ccef9ff4d47a679b48e2e6679ac.pdf
    • https://static.usrfiles.com/ugd/3dd68e_741da27edfee4daab492c81bd82ecd24.pdf
    • https://static.usrfiles.com/ugd/68ec51_012b87f118cf4ff38cde2503a55d0541.pdf
    • https://static.usrfiles.com/ugd/1df9ea_ac6fb9440e8b40a4b628e3835210a410.pdf
    • https://static.usrfiles.com/ugd/fd30ac_798cc2a4e5a14dc5a590c7bb80fecf6c.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc88f8d536d54c9793ab3acb6a5863a3.pdf
    • https://static.usrfiles.com/ugd/911c12_de0ec4179e6e40f8a07494316d12d429.pdf
    • https://static.usrfiles.com/ugd/11baf9_e59abdedb81d4330a04adc4805273032.pdf
    • https://static.usrfiles.com/ugd/ee4d88_9dd65725a6ec4a60810961afdea104a7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000679c.bin
1fd8452ba974cbeac4ceca26fd1f98d6fb8e86912501c6f1e4435a0e7dfb886e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x679C 5324 bytes
font_01_sfnt_off00007951.bin
9f9c4e50aa7525d26bb826dbf81faa8621d6aae46055a71a8443be55dee35297		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7951 6300 bytes
font_02_sfnt_off000088af.bin
a0f99cd41d7ef1f5f8a3512eb0d1fecc961a86864b4b56ba81e94acb8a094399		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88AF 10276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.