Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef1bc3d9e52dae6c…

MALICIOUS

PDF

36.1 KB Created: 2020-09-19 04:52:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 30364b2deef2328c5b09556d6abcf4d5 SHA-1: 2d518c4da1843dfa4305cd31b64a09da7c727033 SHA-256: ef1bc3d9e52dae6c6ef83dec0bfd270dad9c2511f9dd1e98812fc0f860723473
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to `https://ttraff.club/wix?keyword=unblocked+games+hacked+weebly`. The document body, though heavily obfuscated, contains a similar string, suggesting the lure is related to "unblocked games". The PDF also contains a large number of external links, indicative of a link farm, with the primary one leading to a PDF hosted on a filesusr.com domain. The presence of a download button lure further supports the malicious intent of redirecting the user to potentially harmful content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=unblocked+games+hacked+weebly
    • http://mepegi.youaremydrive.nl/uploads/1/3/0/7/130739624/nupuvarip-sugeme-fujeliwa-vinutuxoluwi.pdf
    • http://files.yasainetplus.com/uploads/1/3/1/8/131856389/d7dbeabb8.pdf
    • http://files.alanphillipsart.com/uploads/1/3/2/8/132815767/86ae301e9.pdf
    • http://files.birth-roots.co.uk/uploads/1/3/0/7/130775403/732f2836.pdf
    • http://files.hairgonerogue.com/uploads/1/3/0/9/130969211/cc02211d3f87c19.pdf
    • https://b337708a-54c2-4a8d-bbdc-09bf46597324.filesusr.com/ugd/8db125_e4b0ad52012242fca39e4a752b01ef41.pdf?index=true
    • https://420e28b2-fd02-41cf-88b4-e41dc10b4442.filesusr.com/ugd/c4ccc4_adc0b720719b42beb49185f985b719e0.pdf?index=true
    • https://853e501e-e7d8-4c5b-b1a3-6080c3867cf4.filesusr.com/ugd/1a94e8_ede7cf75bda94f61a069b7a565b67c5a.pdf?index=true
    • https://f0935513-4cad-4e0a-9fef-5fb89658e3b9.filesusr.com/ugd/8b49c6_41fae8e5bded497c98f7ea563052a00d.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0438/2919/9005/files/baritone_horn_music_sheets_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/5117/1478/files/zemagisivawurolodoxob.pdf
    • https://cdn.shopify.com/s/files/1/0431/6836/6746/files/adobe_reader_offline_installer_for_windows_10.pdf
    • https://cdn.shopify.com/s/files/1/0429/8804/4442/files/debtor_aging_report_in_excel.pdf
    • https://cdn.shopify.com/s/files/1/0428/9101/8396/files/tipos_de_anestesia_local.pdf
    • https://db5387ef-0ebb-4531-85ee-ea6fb47abba2.filesusr.com/ugd/a58b01_48ee480b97bf420eb9f9e2c767d764fe.pdf?index=true
    • https://3b59d991-9331-4655-8a64-4d1832845764.filesusr.com/ugd/286fb8_6ec72cdf3e5347748aaa3e5529729ea6.pdf?index=true
    • https://1bc06b59-863b-4520-be45-064f8f42b702.filesusr.com/ugd/2486b5_6ecea88d8f0446b4a6bcf5048627f2ae.pdf?index=true
    • https://d16d938e-2187-4e28-a567-589ce6aab0ab.filesusr.com/ugd/bf0735_94dda076f3854c808f4eabae6eb2b9d9.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0428/9101/8

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004cdb.bin
836f7483ec6d95f588b3aefc4c8ff11d3214cf9800d93b286d395e5d6503d106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CDB 5648 bytes
font_01_sfnt_off0000600b.bin
f6da04f43f2bbd682a2a300cbe446370578509d4306b1b2b9b3e6b06d064ed56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x600B 10336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.