Malicious PDF — malware analysis report

Static analysis result for SHA-256 be608ab31fbe2906…

MALICIOUS

PDF

44.2 KB Created: 2020-09-17 15:08:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4491b188b06c9f97d66132999986f102 SHA-1: b1d778ac5466313e1cdbda2de6a46a397136f604 SHA-256: be608ab31fbe2906f3faf9d6f303680d492184a5997168ba842e5807ac159712
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a lure related to 'traffic court judge on tv' and mentions a deadline, aiming to trick the user into clicking a link. The primary malicious link identified is 'https://ttraff.link/wix?keyword=traffic+court+judge+on+tv', which is flagged as a malicious redirector. The document also contains a large number of embedded links, many pointing to files hosted on filesusr.com, suggesting a link farm or SEO poisoning tactic to distribute malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=traffic+court+judge+on+tv
    • https://cd45d0ed-a278-47a4-b09e-df80c4e184d1.filesusr.com/ugd/510691_b688297fe2ab40a7813ede8f51ca8162.pdf?index=true
    • https://028b050b-c5b8-4ebd-ba24-0a71d7312f72.filesusr.com/ugd/0cd3a8_f4e7348f4e4c4ea1b6cebf9af03513d9.pdf?index=true
    • https://be0cd360-931b-4d65-bb6c-c5ff9b033234.filesusr.com/ugd/a4c1fa_d76b8ea2df2d4a1281f86e33207584e1.pdf?index=true
    • https://fa6723d6-0c35-4827-be21-0d3e401fdc1a.filesusr.com/ugd/943725_fd6a39ce948b4b23ae682a0d54ab7aaa.pdf?index=true
    • https://99eee309-e623-4fbf-813a-d661bb30ea00.filesusr.com/ugd/07e02c_78d5ae5114d24e6798229d05fa6577e4.pdf?index=true
    • https://53ebde8b-987d-4fa9-977e-a7e33220c147.filesusr.com/ugd/4cf28d_2b64f2157be34c8398ad0d53a74b1ba8.pdf?index=true
    • https://cf44b15a-6064-4d31-bed2-822f3bd6539f.filesusr.com/ugd/aff7ca_48582aed7b4a428591305ef72e0aa418.pdf?index=true
    • https://f8ddd7a6-6692-4a57-9b77-dcf6c846c026.filesusr.com/ugd/2486b5_c9701a735ac84c0eb1e585f3f3513b2d.pdf?index=true
    • https://e427d640-9808-4189-b52b-7d0d508328db.filesusr.com/ugd/595093_ca3f9a81c5af446bac8d8ae9dbde167e.pdf?index=true
    • https://5166d0d6-93a8-4855-a4df-44ad87eb16fc.filesusr.com/ugd/4e977a_82ed6c7c4c9045499fa8036c9f87546e.pdf?index=true
    • https://b2c14109-dd99-4b7a-acec-67c53db98608.filesusr.com/ugd/682d1c_fa75d9b0fe2f4e64a7092a2ea531401a.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0432/9888/1704/files/48288316062.pdf
    • https://cdn.shopify.com/s/files/1/0432/8977/2190/files/aprender_ingles_leyendo.pdf
    • https://cdn.shopify.com/s/files/1/0480/4401/5775/files/28608524251.pdf
    • https://cdn.shopify.com/s/files/1/0429/1425/0905/files/98917600847.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fd0.bin
82b19f7925947fbf99a588ed7be6a49034904d44a06ebab0c0b01ff72b83e7b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FD0 5064 bytes
font_01_sfnt_off0000812b.bin
72817046440433a0495edd1f4ef0c9f929b0d76590f975f891991eaf3fb8f848		 pdf-font-stream PDF embedded font (sfnt) at offset 0x812B 10232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.