Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed57a475534c590c…

MALICIOUS

PDF

47.0 KB Created: 2020-09-01 09:05:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d7673fc631a73ba2b5d799a6ca6d71a SHA-1: 863a8a65138e8bd3625cfce98b4882d9d95d0ca2 SHA-256: ed57a475534c590c0d2b520e168cc84ae75e3fb7104d46ce279d689d0e72b057
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to a known malicious redirector. Additionally, PDF_SEO_LINK_FARM indicates a large number of outbound links, likely for SEO manipulation or to distribute further malicious content. The document body, though heavily corrupted, contains the URL https://ttraff.com/wix?keyword=brazilian+jiu+jitsu+theory+and+technique+pdf, which is flagged as malicious. This suggests a social engineering attack aiming to redirect the user to a malicious site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=brazilian+jiu+jitsu+theory+and+technique+pdf
    • https://static.usrfiles.com/ugd/67f5f7_bcc876dfbf9d42d5bd54087afdf4374a.pdf
    • https://static.usrfiles.com/ugd/544c7e_ff6c4222f7774112858c2669c4d878ff.pdf
    • https://static.usrfiles.com/ugd/db1da1_6d6f110ed455438fa66918f6d2c65d53.pdf
    • https://static.usrfiles.com/ugd/269bb8_70c3646f7fe24ed5be4cf442c42a3c2b.pdf
    • https://static.usrfiles.com/ugd/b8c837_99ab475b41a142b8b91bf48faf579473.pdf
    • https://static.usrfiles.com/ugd/ce0e6d_4efc6d90df134c13ab854ffe8b717834.pdf
    • https://cdn.shopify.com/s/files/1/0432/8708/5220/files/balance_board_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0428/4124/3814/files/pizejodemapugazamasaderun.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/5084553863.pdf
    • https://static.usrfiles.com/ugd/e5412a_684e636817ef47698c48f0d9436372a6.pdf
    • https://static.usrfiles.com/ugd/6908d7_6c79369d2b4e403d8db4654eeaf657e2.pdf
    • https://static.usrfiles.com/ugd/67e251_ead0e87ec64b4fd18c7560896b2db5ec.pdf
    • https://static.usrfiles.com/ugd/ecec20_61bafeb8a13b4d849831b87c921bf94d.pdf
    • https://static.usrfiles.com/ugd/c1108c_5d32a28227ef4905a7d47e0f27794c9c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000077be.bin
04ab59d4972b83a14f30418f76497eb5466e1e05dc9bfd0407c1824d5ea917ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77BE 5644 bytes
font_01_sfnt_off00008afe.bin
a11b19dabb791b89782b04dc12e2b8bd0e58cc94770be80c0b073ea22c449790		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AFE 10732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.