Malicious PDF — malware analysis report

Static analysis result for SHA-256 cde8dda9f6b04dc8…

MALICIOUS

PDF

38.6 KB Created: 2020-09-13 03:29:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9055ef58b42f1debd848676ecd8eaa0c SHA-1: eb8b2b8a7790dc9d323471b14e8aaf6f86fb4c67 SHA-256: cde8dda9f6b04dc8498c8f188c5b32e8b16c7a1ca063f2530c6dc1aaafe6e598
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a PDF link farm. One of these links, 'https://ttraff.me/wix?keyword=pocket+dilation+guide', is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it's the primary lure. The presence of numerous links to 'static.usrfiles.com' indicates a potential SEO poisoning or traffic generation scheme.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=pocket+dilation+guide
    • https://static.usrfiles.com/ugd/80bfa9_96875e34675e467c955c70322118cb39.pdf
    • https://static.usrfiles.com/ugd/b48b60_bef547cb95444a0ba2b9ec33bd603c26.pdf
    • https://static.usrfiles.com/ugd/1e4819_2d151d659c4747d28a84e575cad4e32f.pdf
    • https://static.usrfiles.com/ugd/dd4472_277386c7d85448e4a91a99d5b169ae01.pdf
    • https://static.usrfiles.com/ugd/70094d_c3efb4babb6444aa99c94fb642798c11.pdf
    • https://static.usrfiles.com/ugd/7c30af_fa93cd3e8b7043588e228b9cba18ab36.pdf
    • https://static.usrfiles.com/ugd/3649d2_e943f45619b543f2872bf2d8f739b2ae.pdf
    • https://static.usrfiles.com/ugd/7baf93_041fb3aa579f4c8f8ccfc961329a490a.pdf
    • https://static.usrfiles.com/ugd/b4a829_ea2b9c703f624e97874c2236a9328fb1.pdf
    • https://static.usrfiles.com/ugd/b8c837_ddcf71396a3c463a99180d85e72960ff.pdf
    • https://cdn.shopify.com/s/files/1/0432/2787/3440/files/save_smaller_file_size_mac.pdf
    • https://cdn.shopify.com/s/files/1/0432/0791/7729/files/34945464334.pdf
    • https://cdn.shopify.com/s/files/1/0427/9743/2999/files/lajipegalama.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000433d.bin
bad7a8a6222281daf6a011e52bc353ae70f79ff327d2c794d44f64d477d614fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x433D 3688 bytes
font_01_sfnt_off00005043.bin
087e73f4b480cbd683a0951f360ade6b61980d9065c1ec436586af7f8ee0e639		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5043 4780 bytes
font_02_sfnt_off0000608f.bin
b5c6b1cb625b4f4b67d9fe8760ab3a4163aca08aac1ea5b44d78a35e475401a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x608F 8988 bytes
font_03_sfnt_off00007f49.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F49 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.