Malicious PDF — malware analysis report

Static analysis result for SHA-256 becb8867439e023d…

MALICIOUS

PDF

73.3 KB Created: 2020-09-06 19:29:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 401b62d961e302f8468fb19bcb4d78ee SHA-1: 3070e147da184e567195dcc3cb90bf196f6548e1 SHA-256: becb8867439e023d955bbd3183fd4cb279571bd9bd83da738f00428fa49c0f7f
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains heuristics indicating it is a malicious redirector and part of a link farm, designed to lure users with urgency and payment-related language. The embedded URL, https://ttraff.club/pify?keyword=payment+instalment+agreement+template, is a known malicious redirector. The document body, though heavily obfuscated, contains references to payment agreements and the malicious URL, reinforcing the lure. The file's purpose appears to be directing users to malicious infrastructure.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=payment+instalment+agreement+template
    • https://static.usrfiles.com/ugd/b8c837_25204655f552469babcc728c7980d808.pdf
    • https://static.usrfiles.com/ugd/b8c837_5fdb7d79bdff4ada8e030df7de01ffe3.pdf
    • https://static.usrfiles.com/ugd/de9003_173775b1157248d09c338003136aecc2.pdf
    • https://static.usrfiles.com/ugd/3e9e83_31ba9fa2bf3b4c73bb1c5b6106e70bab.pdf
    • https://static.usrfiles.com/ugd/88a84f_a74e994e6e864d88846eb31d49dfb3f2.pdf
    • https://static.usrfiles.com/ugd/abd6ea_3c2ddaefd35e4706805a5f7668353031.pdf
    • https://static.usrfiles.com/ugd/96564c_ea4487a56a694903b6fe5ec4501afd7b.pdf
    • https://static.usrfiles.com/ugd/e4f6f0_f9aee78a117c437ea938f1f01d1e11e7.pdf
    • https://static.usrfiles.com/ugd/b8c837_afbd54352cb94bdeb28929a7b297f7fd.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/41326774972.pdf
    • https://cdn.shopify.com/s/files/1/0433/2670/1726/files/39664515323.pdf
    • https://cdn.shopify.com/s/files/1/0434/7055/3250/files/71666581343.pdf
    • https://cdn.shopify.com/s/files/1/0430/1701/1353/files/64935680235.pdf
    • https://cdn.shopify.com/s/files/1/0435/6364/7137/files/monixof.pdf
    • https://static.usrfiles.com/ugd/b18e4d_4c2ab0ea1a574868bf4d510f8018ffca.pdf
    • https://static.usrfiles.com/ugd/1e4819_ef65312d07df4e01b5ddc4f61d3bec65.pdf
    • https://static.usrfiles.com/ugd/b90ba1_23df6a825ceb4ab4b1d7a17031d81edf.pdf
    • https://static.usrfiles.com/ugd/b8c837_8a741c2f450e490d8d5542c3a90a17ec.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d73d.bin
dd7b880f1c6958317b71933e3175eb4154b1281d355b69180e4ce829e506ee21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD73D 2828 bytes
font_01_sfnt_off0000e137.bin
3f7dcbe1973ec0aefbe0d9d2393fedf618e19b85ecbc7d311d08b904b9e30fea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE137 5244 bytes
font_02_sfnt_off0000f301.bin
01c2ce5513d881ec4dbdc59f51e54ccf11f4d60297d644f9f0ea8be6b1049a1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF301 10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.