Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd7dbc9008296465…

MALICIOUS

PDF

42.4 KB Created: 2020-08-31 11:56:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8f4a857c666a09f3fe252de344135e3f SHA-1: 50e57aec53c78b6696fbe961892688624cfeaf81 SHA-256: fd7dbc900829646598667b4fa32fb5683a68674abfb78f36085104ea1814baae
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One prominent link, which is also present in the document body, directs users to a malicious redirector at ttraff.cc. This suggests a phishing or scam attempt designed to drive traffic to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=boost+zte+speed+prepaid+smartphone
    • https://static.usrfiles.com/ugd/b8c837_a01d7c7460fa4983abd0fa8045e5276c.pdf
    • https://static.usrfiles.com/ugd/bd5c68_06f5cb31e0424b5bac05f6b7b91edbce.pdf
    • https://static.usrfiles.com/ugd/95089d_ca375236dfa64a479dfd4c1488472075.pdf
    • https://static.usrfiles.com/ugd/5926b4_a6129775b87f42088ddd2fd9d752eb80.pdf
    • https://static.usrfiles.com/ugd/ea9bdf_af60765d0a1a4ba7aed8cef3a6831dc7.pdf
    • https://static.usrfiles.com/ugd/599f1c_51b8da79877b492c986d4b71ab09eb55.pdf
    • https://static.usrfiles.com/ugd/b8c837_b361b32ed397438fba0f4d6ea1c31c35.pdf
    • https://static.usrfiles.com/ugd/0c41e7_d9c3bcb518a74d2e81caa8bc9f91be9d.pdf
    • https://cdn.shopify.com/s/files/1/0434/5711/8374/files/luwakisisuwubiwuzam.pdf
    • https://cdn.shopify.com/s/files/1/0431/0079/9140/files/cisco_ccie_study_guide.pdf
    • https://cdn.shopify.com/s/files/1/0452/2138/0247/files/borland_c_builder_6.pdf
    • https://cdn.shopify.com/s/files/1/0437/5448/7957/files/hematopoiesis_definition.pdf
    • https://cdn.shopify.com/s/files/1/0450/9263/4789/files/fusionner_fichier_adobe_reader.pdf
    • https://static.usrfiles.com/ugd/b8c837_61bd09aa55164e8187b767f01e3b8b5b.pdf
    • https://static.usrfiles.com/ugd/7d1dc9_89572559332c4a8298b1f700b83e0fb2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006642.bin
14abcbbe930f503c6a5bb90971cb229c23d3341bfd216172d1e0215dd6ac1872		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6642 5268 bytes
font_01_sfnt_off00007808.bin
5ac1830335dbdb078cb79678042432101226698f2cd4157c426df6a5dd249d66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7808 10832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.