Malicious PDF — malware analysis report

Static analysis result for SHA-256 d474db6fe5d68a6f…

MALICIOUS

PDF

47.5 KB Created: 2020-08-31 01:40:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 967c2d8aae9ab71915c083f5ad82c951 SHA-1: 79c36a718d958168a2f1546af947692f64644ee2 SHA-256: d474db6fe5d68a6f3b4c0f9d057e4ae1762ede389d2b9ae1b7014888676742f9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used for SEO poisoning or to redirect users to malicious sites. One of the embedded URLs, 'https://ttraff.cc/wix?keyword=al+ries+jack+trout+positioning+pdf', is flagged as a known malicious redirector. The document body appears to be garbled text, but the presence of the malicious redirector and the link farm strongly suggest a malicious intent, likely to lure users to a compromised site or to distribute further malware.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=al+ries+jack+trout+positioning+pdf
    • https://static.usrfiles.com/ugd/b8c837_269a0ae271c24819a837d7c986639da6.pdf
    • https://static.usrfiles.com/ugd/3bca44_e8c1746fefe2488997e09ffa6b905e3f.pdf
    • https://static.usrfiles.com/ugd/0e2875_bd2cb45875f541628f28b038728239a5.pdf
    • https://static.usrfiles.com/ugd/b8c837_38281d21d2b74252840743180cf1cba7.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f400e71323044a0907474fc5acfc8b7.pdf
    • https://static.usrfiles.com/ugd/b8c837_79459217c46245ba92e78437204a39c2.pdf
    • https://static.usrfiles.com/ugd/d55797_a71a42b8917c4b7e867b0cf04eb09041.pdf
    • https://static.usrfiles.com/ugd/e42ee3_76bf09f5afaa4171b4801cdfc47357b8.pdf
    • https://static.usrfiles.com/ugd/0d9a50_9ddbb25ed86843b4bd09bb3e77948184.pdf
    • https://static.usrfiles.com/ugd/3e5d97_b2c6910f143c42feb6487d992462c4ce.pdf
    • https://static.usrfiles.com/ugd/b8c837_fa69dcda05904dac861d848e4ad6c543.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f9e051fc1024cb1a83a812d439373db.pdf
    • https://static.usrfiles.com/ugd/20d83a_1a76689dba084d5d9b775e5bbf032847.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bf4.bin
388755b5e23c525c994be7e96f5bd1c09a6c6f01235339a0754cd9aefe721e43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BF4 5452 bytes
font_01_sfnt_off00008e8c.bin
1230c041606815e1b4d49631d04bd4f78852ca7c3a7d4600c1ca47e0e5c97ac2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E8C 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.