Malicious PDF — malware analysis report

Static analysis result for SHA-256 df78d3fa30816f23…

MALICIOUS

PDF

42.3 KB Created: 2020-08-30 00:55:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b13af14038208739669a68c278fa002 SHA-1: ae10962fbd7bdca6592f5d9e9519b0ac371e4f9a SHA-256: df78d3fa30816f239b7d9db7af883b3ce92341537d467a87e46c876885618102
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-Override

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to ttraff.com. The document body, though heavily obfuscated, also contains this URL and numerous other links to static.usrfiles.com, indicating a link farm. The primary attack pattern involves luring the user to click the malicious link, likely leading to a phishing or malware download site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=succession+planning+issues+for+family+businesses
    • https://static.usrfiles.com/ugd/b8c837_c91a8d6cd1764ee89fb98ba89efd4be0.pdf
    • https://static.usrfiles.com/ugd/b8c837_a69c188e6dac4e05bb7d09d2ebeec3c7.pdf
    • https://static.usrfiles.com/ugd/6846fe_2e937e333f354cd79e62ff7db1433189.pdf
    • https://static.usrfiles.com/ugd/b11f6d_3f39024ac53044ceae93debc603d1281.pdf
    • https://static.usrfiles.com/ugd/912de2_3acb57fc1e51424c8376c21633d79015.pdf
    • https://static.usrfiles.com/ugd/f65518_e731ff4a3db2480b8295e1daba7c4f3e.pdf
    • https://static.usrfiles.com/ugd/b8c837_821e933222a64af9b7de43d3807d34f3.pdf
    • https://static.usrfiles.com/ugd/0a052f_604cd0335ee14e76875060452de7c4b3.pdf
    • https://cdn.shopify.com/s/files/1/0434/3549/1490/files/xupukixunedetev.pdf
    • https://cdn.shopify.com/s/files/1/0434/7068/4317/files/bapotusawo.pdf
    • https://cdn.shopify.com/s/files/1/0437/2076/9685/files/modal_auxiliary_verbs_in_urdu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006463.bin
db8699d723c76487a37e3d13a9f1781da178893b363c4eb57bc8de81f829b9cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6463 5680 bytes
font_01_sfnt_off0000779e.bin
278801015f1e03d7410ba7b6bbbc36e0f724f23e98081fa698807c5c1089de75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x779E 11424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.