Malicious PDF — malware analysis report

Static analysis result for SHA-256 c61f0dbe8b842660…

MALICIOUS

PDF

39.8 KB Created: 2020-08-29 15:42:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5458cce0b59193a9e691ba461ef17ea1 SHA-1: e268fdc7061a1c148d5f4aaf329d31dfd0b85d87 SHA-256: c61f0dbe8b842660d6dc80bec0cd919ca7f33e7fa0f2b381f9c506eb3098436a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains numerous embedded links, a technique often used for SEO poisoning or to redirect users to malicious sites. One critical heuristic firing indicates a direct link to known malicious redirector infrastructure at 'ttraff.com'. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/wix?keyword=principles+of+accounting+2nd+edition', suggesting a lure related to accounting material. The presence of multiple links to 'static.usrfiles.com' also points to a link farm strategy.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=principles+of+accounting+2nd+edition
    • https://static.usrfiles.com/ugd/b8c837_f601a48014ad4ce6a86afe8b1550cd5c.pdf
    • https://static.usrfiles.com/ugd/6240f8_b1e194027f474bd5ac2b7014cf9924a1.pdf
    • https://static.usrfiles.com/ugd/b8c837_96eedea859fb4cba9c5132bc38469d66.pdf
    • https://static.usrfiles.com/ugd/b8c837_920bd37b31704ac082473788501103f1.pdf
    • https://cdn.shopify.com/s/files/1/0428/1348/9318/files/61237966735.pdf
    • https://cdn.shopify.com/s/files/1/0448/3586/4736/files/75388152738.pdf
    • https://cdn.shopify.com/s/files/1/0438/5076/0357/files/north_atlantic_gedmatch.pdf
    • https://static.usrfiles.com/ugd/b8c837_acc0d9c00c1646f6ac83b160b2d77bd1.pdf
    • https://static.usrfiles.com/ugd/b8c837_c5b233dc73fd4a88a304364b1932c1ba.pdf
    • https://static.usrfiles.com/ugd/b8c837_e5eb673b6412452e94fc6eca72eff72b.pdf
    • https://cdn.shopify.com/s/files/1/0432/3934/2247/files/51349096991.pdf
    • https://cdn.shopify.com/s/files/1/0467/5190/8003/files/first_angle_orthographic_projection.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b53.bin
dabc9ca504863b1bcdd30f48e8e73ffa7135e92ffa2b9a595afcc2e42f64fbe9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B53 5456 bytes
font_01_sfnt_off00006de4.bin
c6fa758e72471f22f30cc7da966d580aa7360df0db2f18a67e58626ff2447175		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DE4 10928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.