Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec9c7f030aec6990…

MALICIOUS

PDF

37.8 KB Created: 2020-08-31 18:45:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bbd55839a20c08dff4096d413422b3b SHA-1: 44b731e565cc73bcb9f054da977b96b77a5f4d11 SHA-256: ec9c7f030aec6990547f4f5c95d93fe75c381c782fa03efa70001f5c49df524c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a lure to watch a movie for free, which is a common social engineering tactic. It embeds a link to a known malicious redirector, ttraff.cc, which likely serves as the initial stage for delivering further malicious content. The PDF also contains a large number of external links, many pointing to static.usrfiles.com, suggesting a link farm or SEO poisoning attempt to drive traffic to the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=watch+hannibal+movie+free
    • https://static.usrfiles.com/ugd/6c032c_0d111c1ce5eb436e81e31513576aef5f.pdf
    • https://static.usrfiles.com/ugd/bf650e_67ac142eb2484ca19ca0d9496e671e16.pdf
    • https://static.usrfiles.com/ugd/105a8c_03c41cd6b4474bc98964a7c5eacb01a5.pdf
    • https://static.usrfiles.com/ugd/db1da1_35d26bf97e694fbd914afe50971f2213.pdf
    • https://static.usrfiles.com/ugd/0d089b_4af02db80ad3445485b2479dba0e9898.pdf
    • https://static.usrfiles.com/ugd/b8c837_f095f40c0e9947c0a70af4966b083b96.pdf
    • https://static.usrfiles.com/ugd/b8c837_9f11a8352be5450d9965ac217684a88d.pdf
    • https://static.usrfiles.com/ugd/f63f29_3786437d8eb24fa88706f9b59ec9bf59.pdf
    • https://static.usrfiles.com/ugd/d2751c_c0e7f6726f1e4653a1691592467b4028.pdf
    • https://static.usrfiles.com/ugd/d43733_8027d3612aa54ba6b00cf31d4c05aab8.pdf
    • https://static.usrfiles.com/ugd/599f1c_9f28d9c25f9c47649c28bb268b826133.pdf
    • https://static.usrfiles.com/ugd/b8c837_e5fc2254784b4d0182c473388d4d24ca.pdf
    • https://static.usrfiles.com/ugd/2f8cea_0ba3bc3b3a2f4d69ba25f3cf038cf788.pdf
    • https://static.usrfiles.com/ugd/b8c837_00b0f315ce69400b92392478d17f8673.pdf
    • https://static.usrfiles.com/ugd/b8c837_3267b6a3bef14ac59d0974a395abaaa0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000543f.bin
1dc49ff3ca63c5e8bbb33176983a73707ca7b305cd20b76f5280bcad13ecb583		 pdf-font-stream PDF embedded font (sfnt) at offset 0x543F 5156 bytes
font_01_sfnt_off000065b6.bin
3cabdc9b3b17942768c32b49fe0c22b0106a31ce2f991bc610c8b860be5b5315		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65B6 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.