Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc88549399a9dc55…

MALICIOUS

PDF

47.2 KB Created: 2020-09-07 00:55:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5407d240615bd548d15af30497c79ffc SHA-1: d78312a013b9cebca6607f8780a97d6d83de33b8 SHA-256: bc88549399a9dc55e0c1f6a78fdbd1a53e3024b30930862caacc607146860290
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically pointing to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to 'Star wars movies' and the URL itself, suggesting a lure to entice users to click the malicious link. The presence of a link farm heuristic further indicates an attempt to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=star+wars+movies
    • https://static.usrfiles.com/ugd/a01749_fa480f4be38e49f6a36930d374542035.pdf
    • https://static.usrfiles.com/ugd/7598fa_cfdd4277eb8b4292b51490d50c061534.pdf
    • https://static.usrfiles.com/ugd/b42fd6_80d46f1b6c58468faa433e3bf6077a78.pdf
    • https://static.usrfiles.com/ugd/51c472_5e44688b929a407b9a3d50e8841a2061.pdf
    • https://static.usrfiles.com/ugd/2eec94_c8007d7727c641d7b2cde8a119afeed2.pdf
    • https://static.usrfiles.com/ugd/a640e9_9d0d57f20f804963ae4c984bd9d5d75e.pdf
    • https://static.usrfiles.com/ugd/3aee12_63c8a0d0bc2d4139a24c10da5d1c35dd.pdf
    • https://static.usrfiles.com/ugd/c0b427_ee76782802654285add0263ef9ba5d15.pdf
    • https://static.usrfiles.com/ugd/0049ca_cda32a900b514c5ead5f303cda1e43df.pdf
    • https://static.usrfiles.com/ugd/5b9365_da9ebbcb6665473595efd3e160cdf21d.pdf
    • https://static.usrfiles.com/ugd/9d869b_034c56f23f0f41c181281738b536719f.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_1a8462bc4a364de98e5d4b024d2d9b85.pdf
    • https://static.usrfiles.com/ugd/b8c837_9dedc56197484533b1324d7af58c9926.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bd2.bin
3de7f381056d1e2543bb307a37852f654e54298074534c314254451759a22eb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BD2 5056 bytes
font_01_sfnt_off00008cff.bin
4ea7cd3e4ba4ed159b3552d5a9403efdc9fb13cf98947d1b4a28cf5b667eeedd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CFF 10416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.