Malicious PDF — malware analysis report

Static analysis result for SHA-256 c660141ff542e450…

MALICIOUS

PDF

40.9 KB Created: 2020-08-31 02:22:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 48a5de63be15a190b39373db956e76dc SHA-1: 52ae3267e618196fe27cf16613aaad7d37fb6940 SHA-256: c660141ff542e4506321a18b933851ee1e5cbee418f069dcc5b0ab37c978caba
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, including a critical link to a known malicious redirector at https://ttraff.com/wix?keyword=garmin+15+review. The document body, though heavily obfuscated, contains keywords related to a review, suggesting a lure to entice users to click the malicious link. The presence of numerous links to static.usrfiles.com indicates a link farm designed to improve search engine ranking for malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=garmin+15+review
    • https://static.usrfiles.com/ugd/18f527_649c9ebd615c4767a57fbd6b6842f244.pdf
    • https://static.usrfiles.com/ugd/6116da_fc77820e4b824d66b81d1e567aea7978.pdf
    • https://static.usrfiles.com/ugd/b8c837_df087bd10e5f419e8aa4f439edae7421.pdf
    • https://static.usrfiles.com/ugd/704566_1ae5eb3f2f624334b23f24ea96817342.pdf
    • https://static.usrfiles.com/ugd/fd7405_01cdc5433c7e4b47a96cda739abba3a1.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ea909af08f64bdaa4c5220f14457c2e.pdf
    • https://static.usrfiles.com/ugd/6a22cb_b67801a47dbb48b1bfb59dbdf6f51080.pdf
    • https://static.usrfiles.com/ugd/97aff7_e1bca05f48a048f299c15afd0d9b059c.pdf
    • https://static.usrfiles.com/ugd/b8c837_de4b68173cf7430ba8f07f3740fed396.pdf
    • https://static.usrfiles.com/ugd/3bca44_f99a1788036f43008f6dc7c5bf98e2dd.pdf
    • https://static.usrfiles.com/ugd/fd3290_a57a4feeab3c4a57b4afa7a652ca3488.pdf
    • https://static.usrfiles.com/ugd/c7a620_38a9e3226aff481ea0e907f70151a9b5.pdf
    • https://static.usrfiles.com/ugd/b8c837_49ecb1d4859a4784a24d40ff33b95f8a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063b8.bin
12ecfda408d8b95f170fdf4834a696799992209fdac88e45c3a7601be15973d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63B8 4980 bytes
font_01_sfnt_off000074b4.bin
e7c7b0648c20fcaa41497c90cc0f881cec0e8bd3dc3a88fd7b2d11c929656c2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74B4 10024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.