Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4a05f33169f5fa2…

MALICIOUS

PDF

45.0 KB Created: 2020-08-29 19:32:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69d85069055bcb64307a82998d756f46 SHA-1: 1353110e8643b3d1b3fc08db325c86972d710d13 SHA-256: e4a05f33169f5fa2db51d33b456c268fd96ba7dc92aae679c3654a46616eb7b1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a search result for "the very best of fingerstyle guitar pdf". This link, https://ttraff.cc/wix?keyword=the+very+best+of+fingerstyle+guitar+pdf, leads to known malicious infrastructure. The document also contains a large number of links to benign PDF files, likely an attempt to obscure the malicious link or for SEO manipulation.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=the+very+best+of+fingerstyle+guitar+pdf
    • https://static.usrfiles.com/ugd/b8c837_fdc282079e82424ca25f13a1dc5378d9.pdf
    • https://static.usrfiles.com/ugd/b8c837_d1d7f7b7a9fa4410bb39b8d6906269d2.pdf
    • https://static.usrfiles.com/ugd/b8c837_89dbc283b57b4d5cac7e2b0aff9cfc67.pdf
    • https://static.usrfiles.com/ugd/b8c837_65753c6de48c4181ab587ea8a8e608a2.pdf
    • https://static.usrfiles.com/ugd/b8c837_750fefc10f9d4e72875b2972495b68c5.pdf
    • https://static.usrfiles.com/ugd/856cea_f8c2c069769341de80480ea8f5f19d9f.pdf
    • https://static.usrfiles.com/ugd/b8c837_e3412b6fb3b5451aa6a36a134e74a7df.pdf
    • https://static.usrfiles.com/ugd/b8c837_1b1a633001ce4af7bdc2582769e90779.pdf
    • https://static.usrfiles.com/ugd/b8c837_b65c760b31a648a095036790a0873184.pdf
    • https://static.usrfiles.com/ugd/b8c837_03f51cecd1f14850b602826146c68541.pdf
    • https://static.usrfiles.com/ugd/b8c837_5764c5704b104971b7c20ceee43ed0e0.pdf
    • https://static.usrfiles.com/ugd/b8c837_903ed052b9164704967317d2aaf1eb30.pdf
    • https://static.usrfiles.com/ugd/91e123_dbb8bd6b7bb64e1d8b60740c21af3c8e.pdf
    • https://static.usrfiles.com/ugd/b8c837_4e1ad306dfcd4c7594ba4964ccb577ec.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005450.bin
70002eae85b633d06f0bbe14abf7b6be44713e02010308304b88f6fe2535f8f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5450 8396 bytes
font_01_sfnt_off00007022.bin
76950550f060953489cd811bfd3e6a0f3fe1fed345d012641b8aa56284be1033		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7022 5556 bytes
font_02_sfnt_off00008302.bin
b8152a50583fc07eb90b742fad4adf9fa0fb18e5ad936ed4918e4af3c0066ecd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8302 10676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.