Malicious PDF — malware analysis report

Static analysis result for SHA-256 da9b8e3acb53b8a5…

MALICIOUS

PDF

37.9 KB Created: 2020-09-08 16:21:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ae8a5ab779ac7897094ac85e269b0732 SHA-1: 0a07ab99a33703b453968c5efbd1e417b7eae48c SHA-256: da9b8e3acb53b8a525c142fb9ac10e54ae290c4551b853029d089a71a180d032
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a deceptive title and a call-to-action phrase, aiming to trick the user into clicking a link. The primary link, 'https://ttraff.link/pify?keyword=baseball+lineup+generator+spreadsheet', is identified as a malicious redirector. Additionally, the PDF hosts a large number of external links, many pointing to 'static.usrfiles.com', suggesting a link farm or redirection strategy. The presence of a visual download button lure further supports a social engineering attack pattern.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=baseball+lineup+generator+spreadsheet
    • https://static.usrfiles.com/ugd/b8c837_0c10aad2fbc846258c93f6f9b85cf4f6.pdf
    • https://static.usrfiles.com/ugd/6116da_0ba891f2dcc54f22bd959a318f832c4a.pdf
    • https://static.usrfiles.com/ugd/c88839_e8fe8e30c08842a4a3dc3819da1debc7.pdf
    • https://static.usrfiles.com/ugd/23e9be_10762f55112d4df79f75435ee2b72a82.pdf
    • https://static.usrfiles.com/ugd/98d639_347cc07f54474483929147b3b781912e.pdf
    • https://static.usrfiles.com/ugd/63022f_7170fe8997c54bda83967283d767855f.pdf
    • https://static.usrfiles.com/ugd/05301a_24f0a8f9a1e44b6fb12e0fa7e0bfc07b.pdf
    • https://static.usrfiles.com/ugd/113e89_d17f30f9184e48a59b61958f262a6d23.pdf
    • https://static.usrfiles.com/ugd/1e4819_091c441fc0274a4d8e1e5fd2160d2c67.pdf
    • https://cdn.shopify.com/s/files/1/0437/8142/3262/files/xefiwadukajewuxipo.pdf
    • https://cdn.shopify.com/s/files/1/0431/0079/9140/files/21173464713.pdf
    • https://cdn.shopify.com/s/files/1/0434/5797/0329/files/fupesizelipalexede.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005716.bin
af82e5e615f36585c5f3bc4e7d722da30ec631656b0e72160051e0d1647932d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5716 5408 bytes
font_01_sfnt_off00006963.bin
c4531bdbca51423bcfbeef3b70e037f919138767935778e1e19bb8893f27f5c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6963 9800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.