Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce000ec7721d0ec3…

MALICIOUS

PDF

41.2 KB Created: 2020-08-30 18:48:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7aed38164040fc78e9554077ad1b6d7b SHA-1: 9edac4c5d787c6078f7f2b18d7e3b1177f12b6ce SHA-256: ce000ec7721d0ec3dabf7df7f28e226410c9166323f451bcbc68052ad066958b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with a critical heuristic firing indicating a PDF link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL https://ttraff.com/wix?keyword=possessive+nouns+lesson+plans, which is flagged as malicious. The file also exhibits characteristics of a link farm, with many links pointing to static.usrfiles.com, suggesting an attempt to manipulate search engine results or distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=possessive+nouns+lesson+plans
    • https://static.usrfiles.com/ugd/136d07_195f3d8bf6374b9c8e6075167d172fdd.pdf
    • https://static.usrfiles.com/ugd/c7ef1a_b5fb04c4fc7a4705b97ff0b9c1e8722a.pdf
    • https://static.usrfiles.com/ugd/b8c837_d8353d9a4b014656bbdf633219a8d520.pdf
    • https://static.usrfiles.com/ugd/b8c837_3c3876efe6f341cd8e81be519e492161.pdf
    • https://static.usrfiles.com/ugd/6cfc61_8996a9c04db047cdae2e3b3040def74a.pdf
    • https://static.usrfiles.com/ugd/b8c837_1e8dad06ab114994a11c46421c81dde1.pdf
    • https://static.usrfiles.com/ugd/07625c_a1cbc231d0f640869f74fa9e5024d1df.pdf
    • https://static.usrfiles.com/ugd/0a593f_07f08fcfb2b349ae94ea3105e7f80e22.pdf
    • https://static.usrfiles.com/ugd/b8c837_1da9f961d4434ef8b662912083cb0192.pdf
    • https://static.usrfiles.com/ugd/b8c837_cd1ce91826c9476d95f0a45d7b407795.pdf
    • https://static.usrfiles.com/ugd/432b07_3e4d0bce8244429aa8f24f55f086864a.pdf
    • https://cdn.shopify.com/s/files/1/0433/9400/7191/files/zoey_101_cotton_swabs.pdf
    • https://cdn.shopify.com/s/files/1/0432/3924/3944/files/feelings_and_emotions_worksheets_for_adults.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006497.bin
7f1ef2d6787d492b1b463de5f435cc692675f70be21a8d6e2af1a9d3d674fd9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6497 4776 bytes
font_01_sfnt_off000074ed.bin
9d3a71e5c650ebfc96fb1d94c56f73d925671cfd5a43a8d36173dbd8f261e8fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74ED 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.