Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2207cfd1f206b11…

MALICIOUS

PDF

37.9 KB Created: 2020-09-06 22:55:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c569644838e7fe9e84b095714deb70a SHA-1: a23a8e7c435ee0da06b925272cd5c63a4bab16b5 SHA-256: f2207cfd1f206b1108fb134ab19645954184aa62f9e13ad6a4150fe7ddb8dd41
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=rhythm+guide+poster'. The document body, though heavily obfuscated, contains this URL and text suggesting a lure related to a 'Rhythm guide poster'. The file also exhibits characteristics of a PDF link farm, with numerous embedded URLs, many of which point to benign content but serve to obscure the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=rhythm+guide+poster
    • https://static.usrfiles.com/ugd/b4f0c6_f17e6a105b1345c8b9bf0287924a2c4f.pdf
    • https://static.usrfiles.com/ugd/83d902_58e55d4728f047e9b011813dcd7b7f74.pdf
    • https://static.usrfiles.com/ugd/b8c837_471ef8e33f964ebba8d3aa96f8b02e83.pdf
    • https://static.usrfiles.com/ugd/bba345_823ed95148e6499fa9c2e2c3ae3168cf.pdf
    • https://cdn.shopify.com/s/files/1/0461/7584/6563/files/jegetebanasobeb.pdf
    • https://cdn.shopify.com/s/files/1/0431/3582/8124/files/sonuxepepokugiti.pdf
    • https://cdn.shopify.com/s/files/1/0429/5006/6339/files/troy-bilt_tb30r_10.5-hp_manual_30-in_riding_lawn_mower.pdf
    • https://cdn.shopify.com/s/files/1/0431/5932/2773/files/27817545978.pdf
    • https://cdn.shopify.com/s/files/1/0430/5040/1943/files/adding_and_subtracting_integers_maze.pdf
    • https://cdn.shopify.com/s/files/1/0431/9707/1524/files/87327359952.pdf
    • https://cdn.shopify.com/s/files/1/0434/0203/5351/files/atividades_de_alfabetizao_eja.pdf
    • https://static.usrfiles.com/ugd/b47706_d5c45366e44747c3b84a5321778cda5e.pdf
    • https://static.usrfiles.com/ugd/1a94e8_fd20b9d36cf8486a96fa73b2b37a5a8c.pdf
    • https://static.usrfiles.com/ugd/b8c837_108fc8ab29a64a10a410ea0c5d2b291a.pdf
    • https://static.usrfiles.com/ugd/a44510_d0fa94cc311e43b693d51c3cea388932.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000055fc.bin
8b6dcaafb1fd488d51562c80082d5a3f1eea3618b75642da3dc3b99b1406fb29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55FC 5240 bytes
font_01_sfnt_off000067b5.bin
a0e68bf3d46055385daf0d9606b612e78d9f4921896071565f30e808ee743d89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67B5 10592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.