Malicious PDF — malware analysis report

Static analysis result for SHA-256 d094ec6c91220232…

MALICIOUS

PDF

34.4 KB Created: 2020-08-30 23:12:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69eaebdedc88174e1c69e8bc32a4998b SHA-1: 8c6bf314d6f158b6f535c1167675aac45126fe84 SHA-256: d094ec6c91220232ee06eba6a2e1c5c5187571293bd287721067c338928f8f82
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=bible+bingo+game+printable'. The document body, though heavily obfuscated, also contains this URL and references to 'Bible bingo game printable', suggesting a lure. The file also exhibits characteristics of a link farm, with numerous embedded URLs pointing to static.usrfiles.com, likely to improve search engine ranking for the lure content. The primary malicious IOC is the redirector URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=bible+bingo+game+printable
    • https://static.usrfiles.com/ugd/ea9bdf_4ae275f65fec4b3791de2366e3275356.pdf
    • https://static.usrfiles.com/ugd/b8c837_9e3b4622226e425fbc95cc7d4cf7127b.pdf
    • https://static.usrfiles.com/ugd/b8c837_bad715f8c16140a1a66ce1fbd0b3af5e.pdf
    • https://static.usrfiles.com/ugd/b8c837_4d9df525fec94099a8c97dcaba23c6f5.pdf
    • https://static.usrfiles.com/ugd/1f2646_4b226ec1e78043aea7b931b07428de08.pdf
    • https://static.usrfiles.com/ugd/5899d5_5ec2d3c608ee4a33991f0cc4d56b5a99.pdf
    • https://static.usrfiles.com/ugd/affb4a_c5a95b652bf347a7b05bf91545512b6d.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_406f7e2f8cf64ddabfdbe6a4d6f10f14.pdf
    • https://static.usrfiles.com/ugd/b58d21_63f5ce24e8a449babeac774783530b68.pdf
    • https://cdn.shopify.com/s/files/1/0430/3365/7495/files/bekelotakimamebunerupa.pdf
    • https://cdn.shopify.com/s/files/1/0428/1312/8867/files/71697375233.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ab5.bin
c7ba0bf33dfc1dd43cf0d694fddd384316a97419f0635fe7e558f16cbbea8ec0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AB5 5148 bytes
font_01_sfnt_off00005c1c.bin
9852d8977f1544272d35ff03a322da0b2e3d0c8be52615141558a0627109cd2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C1C 9780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.