Malicious PDF — malware analysis report

Static analysis result for SHA-256 d85256415127dbd6…

MALICIOUS

PDF

42.5 KB Created: 2020-09-03 01:07:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f3f651fdf4528e8dae26d896dab1ecc SHA-1: 2e4baf327be8cb2174d01243ed84b483a7c4bf07 SHA-256: d85256415127dbd6e6f35c7f3dadd61f72bf672e662af1673276622b1bd45d27
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in

The PDF file contains a large number of embedded links, a technique often used in SEO poisoning or link farm attacks to drive traffic to malicious sites. One of the embedded URLs, 'https://ttraff.club/wix?keyword=destructive+forces+landforms', is flagged as a malicious redirector. The document body itself is heavily obfuscated but contains references to the malicious URL and a benign-looking PDF, suggesting a lure to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=destructive+forces+landforms
    • https://static.usrfiles.com/ugd/9904c2_1a478cac1ac84482ad5154a91033f5cc.pdf
    • https://static.usrfiles.com/ugd/24853a_6d08c0cec34043ee96cba5abf8c9c971.pdf
    • https://static.usrfiles.com/ugd/3225da_3f797cf081d744819ebf5fdda062c1e0.pdf
    • https://static.usrfiles.com/ugd/c7ef1a_1e0f05b127304f3f894b576712ab66a3.pdf
    • https://static.usrfiles.com/ugd/b8c837_704e379a2a26416eabe240f17ddfaf37.pdf
    • https://static.usrfiles.com/ugd/b8c837_d60ebab9554d4247b20a0034793baf23.pdf
    • https://static.usrfiles.com/ugd/429b25_82987b39a3734129a200effb791bf953.pdf
    • https://static.usrfiles.com/ugd/01bc73_5a33ca81b95c48ac9cc34dcbddd77b21.pdf
    • https://static.usrfiles.com/ugd/50c35f_197102466072461da2306bf2f4b89cdc.pdf
    • https://static.usrfiles.com/ugd/b8c837_259b529153ee4d06878348b75a9551b3.pdf
    • https://static.usrfiles.com/ugd/fd7405_4feec77febfe48c8b70b7ed13e4ef96d.pdf
    • https://static.usrfiles.com/ugd/ea9bdf_96867f04235b41f2912638389741e009.pdf
    • https://static.usrfiles.com/ugd/808d8c_476e60ae700745bd8aa3aa47795977ba.pdf
    • https://static.usrfiles.com/ugd/b8c837_a973b37b504147cd9253f887e3dad7d3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006859.bin
73a8ce96e7b7ffb7665d499317c50172e604d1087e338b9cc9e68063285f678f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6859 5224 bytes
font_01_sfnt_off00007a18.bin
89042ecfe48a712e21d0367ade76c51455c219cb75359eb3485e3882dc631e8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A18 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.