Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf9e632646aecc29…

MALICIOUS

PDF

37.4 KB Created: 2020-08-31 09:23:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58a10a574ff6c2696f3b5558003ea7fd SHA-1: beb8b4b415788e6de87d898f912bae0a22353c2b SHA-256: bf9e632646aecc299a5392c4eedd640d33585c6070f1b89d55f5fdbb51fba584
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/wix?keyword=dheevara+song+mp3', is designed to redirect users to malicious infrastructure. The file also exhibits characteristics of a link farm, with numerous embedded URLs pointing to external PDF documents, likely an attempt to manipulate search engine results or distribute further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=dheevara+song+mp3
    • https://static.usrfiles.com/ugd/b8c837_e97d1b49d85246f88f14ebaee3a5159f.pdf
    • https://static.usrfiles.com/ugd/5fd5c1_5ad880e0598740fab889ab863112ed9a.pdf
    • https://static.usrfiles.com/ugd/b8c837_d16b9d2c77d5454a941cd3e21d0d2f7c.pdf
    • https://static.usrfiles.com/ugd/19103d_8771f90c20684342bb5ab6339b945009.pdf
    • https://static.usrfiles.com/ugd/b8c837_f5d902eee5824e589dc911f1ba38adaf.pdf
    • https://static.usrfiles.com/ugd/b8c837_b110ffe5c4a847319ea1b5ec22b982ff.pdf
    • https://static.usrfiles.com/ugd/b8c837_c76d37e2515a4a21b7f32e3888465f3a.pdf
    • https://static.usrfiles.com/ugd/c3548c_dde6410fd0ad4a96b9eeb1c2a82f2195.pdf
    • https://static.usrfiles.com/ugd/dc98cc_85556ceb0c21446da797b1bf9087e26e.pdf
    • https://static.usrfiles.com/ugd/b8c837_d8db61c4f5e14e4f851e78469309912c.pdf
    • https://static.usrfiles.com/ugd/0dd040_edca2ecc5e524f1e84a2edb09fa9f137.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000517e.bin
e689a9a9efab04a2f13010b5c1db3c49a27339903455becfa43d085655003c13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x517E 5424 bytes
font_01_sfnt_off000063df.bin
a02068c7791baea0318580fab99e890a1260e7fb039b7e6cceaf459981493947		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63DF 10968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.