Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1ccb4c83066d5b0…

MALICIOUS

PDF

41.6 KB Created: 2020-09-06 16:53:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c8af411b72cf6fc026d981788f6b299 SHA-1: 12d942e91ad491761626d340ed877f98ecafc77c SHA-256: c1ccb4c83066d5b058947eee5dbf61406b96e25b7a3d6b8a715ea4db95410d73
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of embedded links, with the primary redirector URL being 'https://ttraff.link/pify?keyword=marble+lab+report'. This URL is flagged as malicious and is part of a link farm strategy. The document's structure and the presence of numerous links suggest an attempt to lure users to malicious websites, likely for credential harvesting or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=marble+lab+report
    • https://static.usrfiles.com/ugd/ffe0d3_4126619c424f44be983b5f0254f4d82a.pdf
    • https://static.usrfiles.com/ugd/b8c837_a97c488d32be40fe8217e8406d7f95f4.pdf
    • https://static.usrfiles.com/ugd/0a052f_40dac93f70184b82839e1ad3fd8bdbc4.pdf
    • https://static.usrfiles.com/ugd/b8c837_3565d4abd4c442fd8fe0d5a074a5f5d2.pdf
    • https://static.usrfiles.com/ugd/1decf9_5e41dc4b59304f6cbdb1e131dc5cd1a4.pdf
    • https://static.usrfiles.com/ugd/485053_ddc5ebe7d6744c329f848ab4cfeece92.pdf
    • https://static.usrfiles.com/ugd/99a8f2_afffaaece4ca4e6e8d44b85900014b4e.pdf
    • https://static.usrfiles.com/ugd/de60da_99eb1255c9cb4f7a945c084955ab170f.pdf
    • https://cdn.shopify.com/s/files/1/0431/8999/3621/files/full_album_bts_face_yourself.pdf
    • https://cdn.shopify.com/s/files/1/0450/3647/0430/files/gogazulenunaxez.pdf
    • https://cdn.shopify.com/s/files/1/0434/4214/3397/files/nesetasewurevejasisojile.pdf
    • https://cdn.shopify.com/s/files/1/0433/5940/4191/files/50866748307.pdf
    • https://static.usrfiles.com/ugd/837d34_abd5d419e798444e8a77928afcd5791b.pdf
    • https://static.usrfiles.com/ugd/b8c837_9efd570261854a398a815d6a1a0108b5.pdf
    • https://static.usrfiles.com/ugd/eb5a6a_4fdbd89f58bd466bbba3bdd148a4867e.pdf
    • https://static.usrfiles.com/ugd/67e251_4ab3b5b3204b441a93d7d5c9e8f830f2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065e5.bin
788e1272ab5d7ef5ab79d05a730d70c3c6187e240cd29cfb48da3de31b340ad4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65E5 4780 bytes
font_01_sfnt_off0000763a.bin
2f02ef2b20ae5aa9234b71561a14bb06ac509fbc0183edc895bfa29d53e6fa2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x763A 10412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.