Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0efdb2ba210fbc9…

MALICIOUS

PDF

50.3 KB Created: 2020-08-29 05:53:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 85a4c6a0e69982ab0bcd4bfd657c817b SHA-1: 3b329c7133780217bf30d81173826c317c243497 SHA-256: c0efdb2ba210fbc9335ac76499bb8983ddc87167a846bf30d8935a5a6d6b9d9b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a sensationalized news headline as its document body, designed to entice the user to click on a link. The primary link identified, 'https://ttraff.me/wix?keyword=local+hero+arrested+after+killing+30', is flagged as a malicious redirector. Additionally, the PDF exhibits characteristics of a link farm, embedding numerous URLs, with 'https://static.usrfiles.com/ugd/b8c837_b111bcfe82c842a28e11f9337c50e9df.pdf' being the first in the list. No scripts were extracted, but the presence of a malicious redirector and the link farm structure strongly suggest a phishing or social engineering attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=local+hero+arrested+after+killing+30
    • https://static.usrfiles.com/ugd/b8c837_b111bcfe82c842a28e11f9337c50e9df.pdf
    • https://static.usrfiles.com/ugd/b8c837_e9b78c6825fb46ea8b480be64205ec06.pdf
    • https://static.usrfiles.com/ugd/b8c837_15b571ccc55447868505cbab9e834b35.pdf
    • https://static.usrfiles.com/ugd/b8c837_47cf9e6eac244b3f9003590006603f2f.pdf
    • https://static.usrfiles.com/ugd/b8c837_fd6c8e0a3cb7448b9d2ccae6fdfe30c9.pdf
    • https://static.usrfiles.com/ugd/b8c837_1dca233853b44c6e80c6aa52ceec16bc.pdf
    • https://static.usrfiles.com/ugd/b8c837_eba3cd7fd6c44106ae5d54473a7f1fae.pdf
    • https://static.usrfiles.com/ugd/b8c837_2a16ebf45c6f4872b41395cd4374f90d.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed9871661708467aadf8c849b8467d8d.pdf
    • https://static.usrfiles.com/ugd/b8c837_90086aaefab94bdaa30561eb4db87e76.pdf
    • https://static.usrfiles.com/ugd/b8c837_e59bf927ed7c4746b14b0c673fe56095.pdf
    • https://static.usrfiles.com/ugd/b8c837_ba2ad8aab49f4d098695ec919d7a9c1a.pdf
    • https://static.usrfiles.com/ugd/b8c837_05e8dd3f692e42dd9d7b98aabf6b5b1c.pdf
    • https://static.usrfiles.com/ugd/b8c837_78b162e72da3437086b193559b6a6bf9.pdf
    • https://static.usrfiles.com/ugd/b8c837_71f8c17080884841932376b293b9c202.pdf
    • https://static.usrfiles.com/ugd/b8c837_da29784fddc941709d1303eb22aad9c3.pdf
    • https://static.usrfiles.com/ugd/b8c837_2fb266e499a54490bb06de81e88ea0c1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006615.bin
7cfbdcc044effbe052d4b51a673b6df485a5e2da0a69b7b68161809b29e50358		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6615 5596 bytes
font_01_sfnt_off00007905.bin
186f094819321189faa30090f9ecdf9fd4841dde97c1337636cb7af37e37b37f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7905 1824 bytes
font_02_sfnt_off000081f2.bin
7cbfc5e14fd535014936cf4fa6d194517c358729bfd70580f3c72d6789fdb4b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81F2 10528 bytes
font_03_sfnt_off0000a5e4.bin
87113c214ce391f374f07ec2d802aa7cf89521a22630d24b2f155e8ad8548ec2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5E4 16192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.