Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff6c0b90ee3d56b8…

MALICIOUS

PDF

39.3 KB Created: 2020-08-29 02:50:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78f75015e5268524887a604c90ef75a7 SHA-1: ff4ac360ed45c80365fee4903a8ed1e659001e3e SHA-256: ff6c0b90ee3d56b8a5c3210a83dba98d777ee012f241f1a4c24083607015ee00
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains text related to a book title and the malicious URL, suggesting a lure. The file also exhibits characteristics of a link farm, with numerous embedded URLs, many pointing to 'static.usrfiles.com'. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to a phishing site or malware download.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=management+by+chuck+williams+7th+edi
    • https://static.usrfiles.com/ugd/b8c837_82d58ea8d7b746d8b83657b1ec4f3a29.pdf
    • https://static.usrfiles.com/ugd/b8c837_7e02755ea7f64cb2ba3cd4a7f15fa134.pdf
    • https://static.usrfiles.com/ugd/b8c837_f8944209c2914810a63a888ac8410cf0.pdf
    • https://static.usrfiles.com/ugd/b8c837_19dd197a03cd45378ade5602fba8d609.pdf
    • https://cdn.shopify.com/s/files/1/0447/4057/5386/files/wamovug.pdf
    • https://cdn.shopify.com/s/files/1/0435/9775/8622/files/a_remarkable_beetle_mini_ielts_reading_answer.pdf
    • https://cdn.shopify.com/s/files/1/0431/5031/1579/files/xelamulimejifidijeruvafer.pdf
    • https://cdn.shopify.com/s/files/1/0429/7133/2767/files/nopotibowobin.pdf
    • https://static.usrfiles.com/ugd/b8c837_41401a2f0eea43b1b83d15ee84866c36.pdf
    • https://static.usrfiles.com/ugd/b8c837_15844fb1dc5047559324f2132a9ad118.pdf
    • https://static.usrfiles.com/ugd/b8c837_300d324a37584d14a789e65159413c8c.pdf
    • https://static.usrfiles.com/ugd/b8c837_9a3b37f170d244a4b7b7ee49d1f1d659.pdf
    • https://static.usrfiles.com/ugd/b8c837_abdb5ec905934ac38841caae9bb13ccf.pdf
    • https://static.usrfiles.com/ugd/b8c837_faf09e797d1f4b0fb87d35e76c5b673f.pdf
    • https://static.usrfiles.com/ugd/b8c837_8986a352d3e34bfaa42be1ba92de6605.pdf
    • https://static.usrfiles.com/ugd/b8c837_b18c0ffc66744c3c871f2457452c1d9d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000055bc.bin
58b908ff39224f45fd8036bf4be4dde12ec353e6b6cdc4933a2e41008b897bf5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55BC 5740 bytes
font_01_sfnt_off00006942.bin
87e9e37c73d49b6df3dc2a194af8e4c90d2799a1d253347cdf62f678aa4c491c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6942 11840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.