Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3588e7045eb2d02…

MALICIOUS

PDF

55.8 KB Created: 2020-09-02 17:19:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e0fbeb2c4f253ddfeaab2b1f0301e68 SHA-1: bd11952db89133c265127d93445b4307d11fcf7d SHA-256: c3588e7045eb2d02af4240e0d67a91be00abc16de1c1304e6f3010092391703d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=legends+of+aria+fighter+guide'. The document body, though heavily obfuscated, also contains this URL and references to 'Legends of Aria fighter guide', suggesting a lure. The file also exhibits characteristics of a link farm, with numerous embedded URLs pointing to static.usrfiles.com, likely to improve search engine ranking for the malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=legends+of+aria+fighter+guide
    • https://static.usrfiles.com/ugd/79e5df_9c4d2a2a1fc440a88b05a0c0025bfdd7.pdf
    • https://static.usrfiles.com/ugd/704566_0542bf7ce8554746bae94b3833cb2d76.pdf
    • https://static.usrfiles.com/ugd/0fdb6d_b67f39be901d45bdbf17454b3f50a22e.pdf
    • https://static.usrfiles.com/ugd/9dda13_6400c59360064c9a90f760751a473815.pdf
    • https://static.usrfiles.com/ugd/6a7407_58366144518842f8a6f5bdfe762ee155.pdf
    • https://static.usrfiles.com/ugd/c068f8_6de0655dfd15429680a360b7f5b1a9e9.pdf
    • https://static.usrfiles.com/ugd/912de2_9f073ba1d6fb4949a2f100a74a8c9130.pdf
    • https://static.usrfiles.com/ugd/b8c837_c9a476d06f4149d8891dea33996ddab3.pdf
    • https://static.usrfiles.com/ugd/dc98cc_f0b2bedf57304a49ac5ec65be1dedff3.pdf
    • https://static.usrfiles.com/ugd/c63bf9_295ae092dc6a44dfb0b3fe839e1c0c28.pdf
    • https://static.usrfiles.com/ugd/b8c837_89a4ea3ff8a14ee09f582ce94b139d16.pdf
    • https://static.usrfiles.com/ugd/ee6770_24f986e4918c4672832178b0b346cda7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009ead.bin
18bfcd7c0436a5cc940190424312f536f75760ad4158573a43d98f3070850418		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9EAD 5076 bytes
font_01_sfnt_off0000aff4.bin
7657781ad013e1a2a6f89fae8f4246a4e8851afc3c68eba65afd763ea8a8060a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAFF4 10120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.