Malicious PDF — malware analysis report

Static analysis result for SHA-256 bcb642ef6499795c…

MALICIOUS

PDF

42.7 KB Created: 2020-08-31 03:37:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 839f008cef1ebe39b5e4654e2ed2aa02 SHA-1: f863ffe3e8f4d18ab3b66402d53b98053a437ee8 SHA-256: bcb642ef6499795c5d13a54219ee43eca50d29a44c3e88a5a566aec1b9996ca2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with a critical heuristic firing indicating a malicious redirector link to 'ttraff.com'. Another critical heuristic identified a PDF link farm with 28 external links, predominantly hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the same malicious URL. This suggests the primary attack pattern is to lure users to malicious sites through a large number of links within the document.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=jesus+for+president
    • https://static.usrfiles.com/ugd/7ea8bb_5c48e9220d054d8d94fb9b2b6bab9cab.pdf
    • https://static.usrfiles.com/ugd/dfb5f8_949fd860e672448a9dd302c1741e1767.pdf
    • https://static.usrfiles.com/ugd/b8c837_c21f99e7162d4716ba4de2ede43cec1f.pdf
    • https://static.usrfiles.com/ugd/ec0c41_dad0a4c0fe4a421a987107a398002add.pdf
    • https://static.usrfiles.com/ugd/b8c837_65107c90225148b7ab58151f91e311ad.pdf
    • https://static.usrfiles.com/ugd/b8bbd7_4a77f82f6dfd4695a9ab311f0b2e1c52.pdf
    • https://cdn.shopify.com/s/files/1/0439/0017/4504/files/5840514174.pdf
    • https://cdn.shopify.com/s/files/1/0432/1283/2931/files/nugobebap.pdf
    • https://cdn.shopify.com/s/files/1/0438/9378/4728/files/teaching_characterization.pdf
    • https://static.usrfiles.com/ugd/a4e402_415ce1efe21144eab4c7ad33be43ba7d.pdf
    • https://static.usrfiles.com/ugd/b8c837_ab510ceca5b543cf8b782a77f8b8efb8.pdf
    • https://static.usrfiles.com/ugd/aa14a9_f4dc183283c8435589003cf69dcd98f8.pdf
    • https://static.usrfiles.com/ugd/d55797_126699fa52d34d8bb5bbe6179f7ad96f.pdf
    • https://static.usrfiles.com/ugd/b8c837_8bda8bdaa3984470a4fde9f2de22f781.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bbd.bin
da3a23ca56b3159e5f5acf32660bd48349ccf5da177895b22e1873734dc411cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BBD 4780 bytes
font_01_sfnt_off00007c17.bin
d9d1865f9843ac56cd5a1148d0f3c26d8bf9f0bc7a42d103535e3c28fb659764		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C17 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.