Malicious PDF — malware analysis report

Static analysis result for SHA-256 f64b1c6ab9607a7f…

MALICIOUS

PDF

41.2 KB Created: 2020-08-31 23:01:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 940d8bc4c4b546d754dd54b01bf2bf62 SHA-1: 74d76289779dbb581254f6c0009ee4d2fe2839cb SHA-256: f64b1c6ab9607a7f554d078abb0efca06f7c7955726a23f9cab41fec0b3370ff
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.001 Malicious Link

The PDF contains a critical heuristic indicating it's a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=restricted+area+authorized+personnel+only+sign'. The document body, though heavily obfuscated, contains this same URL, suggesting the primary intent is to trick the user into visiting this malicious site. Another critical heuristic identified a PDF link farm, with the first URL being 'https://static.usrfiles.com/ugd/b8c837_0a498d95f1c549b0a84515fce544a631.pdf'. The presence of a callback lure heuristic further supports a phishing or scam-related attack pattern.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=restricted+area+authorized+personnel+only+sign
    • https://static.usrfiles.com/ugd/b8c837_0a498d95f1c549b0a84515fce544a631.pdf
    • https://static.usrfiles.com/ugd/9cb927_7c98a6baa65546af8d2720f9f116d32b.pdf
    • https://static.usrfiles.com/ugd/b8c837_2df67ebf33d145a4a7d7626fcc6d1c51.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/87195604050.pdf
    • https://static.usrfiles.com/ugd/90423f_793599662a7f432c9958cdf23233e3f7.pdf
    • https://static.usrfiles.com/ugd/b8c837_f218264edc8349bebdb67d6bf3c6ba3e.pdf
    • https://cdn.shopify.com/s/files/1/0431/5768/4385/files/31161974492.pdf
    • https://cdn.shopify.com/s/files/1/0427/9474/6023/files/27623168272.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f02.bin
6ead8aae69168f1f41db7b7a47770843284e94238952171a70cdaac651cca397		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F02 5492 bytes
font_01_sfnt_off000071c3.bin
1531a944f96b1df38a5638f5d9ae69501ee37d4b01fee891a44fb465e637113e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71C3 10700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.