Malicious PDF — malware analysis report

Static analysis result for SHA-256 e173fa4acdf18d7a…

MALICIOUS

PDF

33.3 KB Created: 2020-09-08 20:49:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a3b77257333ddfc352d392cd25123d7 SHA-1: 5a592abf7d8929de949decb8b5243c37138e1bc4 SHA-256: e173fa4acdf18d7aa86c014f1c1d17aca30381ef0ebaeffa3211a4a312978541
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=chameleon+apk+no+root'. This URL, along with numerous other embedded links to PDF files hosted on static.usrfiles.com, suggests a link farm designed to drive traffic to malicious content. The document body, though heavily obfuscated, contains the primary malicious URL, indicating a social engineering attempt to trick users into downloading a file by searching for specific terms.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=chameleon+apk+no+root
    • https://static.usrfiles.com/ugd/5438e3_e6acdc44ce9c4bb1b5dcb97458688501.pdf
    • https://static.usrfiles.com/ugd/3801ff_69a22dbf039b4eeda0662aad9294572b.pdf
    • https://static.usrfiles.com/ugd/510691_cc8d88f587384b959aed5596a2c1263c.pdf
    • https://static.usrfiles.com/ugd/f4de5e_ec90bed07af64481b0ed145cff4d7f07.pdf
    • https://cdn.shopify.com/s/files/1/0437/8827/1767/files/zufaviwikubosigukipos.pdf
    • https://cdn.shopify.com/s/files/1/0431/1446/3394/files/84472438038.pdf
    • https://static.usrfiles.com/ugd/c6ac46_fad04edaeac748bba8e28707e4ee2f33.pdf
    • https://static.usrfiles.com/ugd/18122d_d2bc63c425ec48399912ba9bacbfe919.pdf
    • https://static.usrfiles.com/ugd/89c6ad_2899a52e5b6c4e56b1b7e1a89e12496a.pdf
    • https://static.usrfiles.com/ugd/d017d5_e494092b2a9b42af9669946b13f4e145.pdf
    • https://static.usrfiles.com/ugd/b4f0c6_9ff89a5fe30b48eb8079281cef4ce3c3.pdf
    • https://static.usrfiles.com/ugd/e02969_ac1501778f104520b772023fad6bfc71.pdf
    • https://static.usrfiles.com/ugd/805d2a_de0de2032588429face3d5bed52ddb21.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000047b0.bin
bcc33dd3b7c22d5f90bd4bb858faa8777ed5e03f40b40574310670fe4c5e49e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47B0 4852 bytes
font_01_sfnt_off000057fa.bin
c8ca50fe7953ee9120c81faee60b64192b614008442a0e4027c2989300e44b76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57FA 9640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.