Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7da0bc343179cc7…

MALICIOUS

PDF

44.4 KB Created: 2020-08-30 07:41:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7728e71f25ea51bf14c30197eb8954e6 SHA-1: ab6fe3ae0a1e6bc725c7576e56e1ca8eee273365 SHA-256: c7da0bc343179cc7811912da4e0c1fa3fa52f6d3d284a9d42849f655ef4bf019
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=tales+of+aravorn%253A+seasons+of+the+wolf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs hosted on 'static.usrfiles.com'. The document body, though heavily obfuscated, contains the same redirector URL and what appears to be a game or book title, suggesting a lure to a malicious site. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=tales+of+aravorn%253A+seasons+of+the+wolf
    • https://static.usrfiles.com/ugd/e3834b_a60fbd1863384160be9918ea9fcab99d.pdf
    • https://static.usrfiles.com/ugd/e2b09b_c024b26d97ec474cb5c0e66146fb2656.pdf
    • https://static.usrfiles.com/ugd/b8c837_a854bb83da1b4120a1e47e8931722097.pdf
    • https://static.usrfiles.com/ugd/11f207_93921fb6bca4463bac061a286c0e1008.pdf
    • https://static.usrfiles.com/ugd/599026_f38a8c8d2bc74c38bc3b38a2adf455c8.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_8a14f129470e4d40a57cdb2a38995d79.pdf
    • https://static.usrfiles.com/ugd/80c1db_47b005659b1842168ba39caf5a39251d.pdf
    • https://static.usrfiles.com/ugd/3b7182_0db084c6e727445eaceabbcb88a502e4.pdf
    • https://static.usrfiles.com/ugd/b8c837_ef332902125d44f09dab24f6d572cbe8.pdf
    • https://static.usrfiles.com/ugd/5de1df_0f345d182f1e497787768748958ae22e.pdf
    • https://static.usrfiles.com/ugd/b8c837_f8cd5ee44960487a982fb377bac65caf.pdf
    • https://static.usrfiles.com/ugd/b8c837_20ffe5153bf840dda99856ec899bec2e.pdf
    • https://static.usrfiles.com/ugd/9904c2_556cddedbd134ede9829a3c544c30762.pdf
    • https://static.usrfiles.com/ugd/b8c837_64a5360b754243ffa1bec505528476f8.pdf
    • https://static.usrfiles.com/ugd/b8c837_cc71f22b4e5b4f298e5c14a51542fe7a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f44.bin
a4462d64d4f8978590db57b6a499d7c4bc94a1ceeff9e600cc6a93fc189bbc30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F44 5004 bytes
font_01_sfnt_off0000805d.bin
d48d57d0d510b9bef6023a335b4f72198db2271cab90fb4392dc2e22b7872c6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x805D 10952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.