Malicious PDF — malware analysis report

Static analysis result for SHA-256 ffbba4da055580d8…

MALICIOUS

PDF

43.2 KB Created: 2020-09-03 02:51:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 54e4f304dce9c5e4957cd85361384570 SHA-1: 56d47dd067dd27e8d03f14217735d2f32effc31a SHA-256: ffbba4da055580d8fdd671a787aa1b72cca383328d6b564429acc690b9879220
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, many of which point to a link farm hosted on static.usrfiles.com. One of the primary links, 'https://ttraff.link/wix?keyword=formal+grievance+procedure+in+south+africa', is identified as a malicious redirector. This suggests the document is designed to redirect users to malicious content, likely for phishing or malware distribution, under the guise of a formal grievance procedure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=formal+grievance+procedure+in+south+africa
    • https://static.usrfiles.com/ugd/e1c37d_32968da0075a49cfbf1f32fd41f67a5a.pdf
    • https://static.usrfiles.com/ugd/b80405_8c3ac1925cb8479daa17481cce9c36b5.pdf
    • https://static.usrfiles.com/ugd/e42c35_58d00ccc7efc419e90096ef62cc4fd5a.pdf
    • https://static.usrfiles.com/ugd/271e65_4375c59e373b4e85a42017bc3879de36.pdf
    • https://static.usrfiles.com/ugd/80bfa9_91fba0411f1947a9a8c854931743f0b6.pdf
    • https://static.usrfiles.com/ugd/cacfd7_b10e0f7714e64058bca6c93db1084978.pdf
    • https://static.usrfiles.com/ugd/a891c0_ef9b3763bffa4c968556031d4d4b63e9.pdf
    • https://static.usrfiles.com/ugd/9f69bd_1f0f24a88a48405aafec87f214865ece.pdf
    • https://static.usrfiles.com/ugd/b8c837_2dec5066c5b74e60b54c8eea77a3ec30.pdf
    • https://static.usrfiles.com/ugd/4a6c57_b0018cc6dba447368ae342781519fb04.pdf
    • https://static.usrfiles.com/ugd/2b25b5_04f73f6ce7b2435faab43dc436ca7032.pdf
    • https://static.usrfiles.com/ugd/b8c837_aecdab9270964012a74f003896c4ad80.pdf
    • https://static.usrfiles.com/ugd/4fea5c_601b140ea9614267a58d3d301bf42183.pdf
    • https://static.usrfiles.com/ugd/83b1b3_f54c26cd2a92432987503057a77f183a.pdf
    • https://static.usrfiles.com/ugd/270e53_63535804d3ca443181994733bf7e3aec.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006afa.bin
df7217f336cf533ec4afa53e3e0bf1c18c356aa0309af7ca7315296f5afc7cad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AFA 5584 bytes
font_01_sfnt_off00007dd1.bin
7de420bf159f45a30b8dcfddebb714308c41a84c51121dac93929bc827593815		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DD1 9880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.