Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0476bb32e2e51f5…

MALICIOUS

PDF

41.9 KB Created: 2020-09-07 11:16:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 77dd96f64bf91dc62513ed54a527197e SHA-1: 878344c77f1bf9ff1fa703fd4ca0d33ba6a83e4a SHA-256: e0476bb32e2e51f5764d7e1b4274d649f6250508765a1f02443b4f7a79d1c8fe
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a malicious redirector link disguised as a free template for a Texas LLC operating agreement. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates the primary URL leads to known malicious infrastructure. The PDF_SEO_LINK_FARM heuristic suggests the document is part of a larger effort to generate traffic, likely for malicious purposes. The embedded URL https://ttraff.me/wix?keyword=texas+llc+operating+agreement+template+free is the most critical IOC as it is the direct lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=texas+llc+operating+agreement+template+free
    • https://static.usrfiles.com/ugd/8ade13_c3976e334d0c4478ba089b76ab5f373c.pdf
    • https://static.usrfiles.com/ugd/b8c837_6449315d0e44409598dd7ff201f59c26.pdf
    • https://static.usrfiles.com/ugd/d32f78_c1971ca89bde40f485c14cf01f7949c6.pdf
    • https://static.usrfiles.com/ugd/8127dd_f3abdf3930b64cd48a157aecbfdb5d5b.pdf
    • https://static.usrfiles.com/ugd/882da0_f23d41c5685a46b0a43839c610609a99.pdf
    • https://static.usrfiles.com/ugd/4cd51e_41a689a3ba5f459eb443db7fe53944b3.pdf
    • https://static.usrfiles.com/ugd/7c41c1_d5b29baa36a84994a90a2b61368b4c32.pdf
    • https://static.usrfiles.com/ugd/79e0dc_69e3af8f0fd2495781e0ff88024d740a.pdf
    • https://static.usrfiles.com/ugd/b8c837_4fe9ca3e4ebf4cb6be6b9aff8f9824a2.pdf
    • https://static.usrfiles.com/ugd/b28ae2_4f0877db902c42a283bc4755034e3709.pdf
    • https://static.usrfiles.com/ugd/b8c837_7542c7f67ad24ae6b4c755e5b9fd0709.pdf
    • https://static.usrfiles.com/ugd/0c4177_555acc7554374a9a9d5e94f1190dfa3b.pdf
    • https://static.usrfiles.com/ugd/a382ee_3e02882262474352921d08cdf393295d.pdf
    • https://static.usrfiles.com/ugd/6240f8_cbc03460704b431fb86f0027b2a6db6c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000654b.bin
2ad35fc60b5921f9653c429ba950ee960adbcec9da5459cd23e6f65c17e786d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x654B 5352 bytes
font_01_sfnt_off0000776f.bin
c4b07f46158d9b28576c92e863113293c41f2014ab300705735cd97da116ced1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x776F 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.