Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c86f2593f840982…

MALICIOUS

PDF

48.7 KB Created: 2020-08-29 22:37:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 719b2ccabbb28f935a92cf66f292f629 SHA-1: e3fe598516555065af151804569afe125c5971d0 SHA-256: 1c86f2593f84098249f3f3f157fbd8f96395b1de06792214cf990fe5b3808ba4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in Systems

The PDF document contains a large number of embedded links, a technique often used to create SEO spam or redirect users to malicious sites. One of the embedded URLs, https://ttraff.cc/wix?keyword=lg+g6+ip+rating, is flagged as a known malicious redirector. The document body itself is heavily obfuscated but appears to contain the same redirect URL, suggesting the primary purpose is to lure users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=lg+g6+ip+rating
    • https://cdn.shopify.com/s/files/1/0429/2637/5071/files/the_flash_s03e09_vodlocker.pdf
    • https://cdn.shopify.com/s/files/1/0429/8558/6841/files/wagetiriwo.pdf
    • https://cdn.shopify.com/s/files/1/0464/1783/8248/files/9450269993.pdf
    • https://cdn.shopify.com/s/files/1/0431/3264/9636/files/ampps_mysql_won_t_start.pdf
    • https://static.usrfiles.com/ugd/b8c837_aea42510b00b4a3dbadee64d088213eb.pdf
    • https://static.usrfiles.com/ugd/b8c837_788ddd614c0f456ebacbb561db77c414.pdf
    • https://static.usrfiles.com/ugd/b8c837_970dda51a6ad485dbb4fce0e853d2754.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zonixalekena.pdf
    • https://cdn.shopify.com/s/files/1/0430/4027/6642/files/haproxy_rate_limit.pdf
    • https://cdn.shopify.com/s/files/1/0430/0832/7829/files/digakulewire.pdf
    • https://static.usrfiles.com/ugd/ca300b_1a03952ff9394b81a33cfd1280eaf615.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_5d59cf87bad14216bca9fbe196e11220.pdf
    • https://static.usrfiles.com/ugd/b8c837_040c7584a9a24ecc9a3cd31e372d9080.pdf
    • https://static.usrfiles.com/ugd/b4a829_0453676c5aca491ebadf63acbdb621b3.pdf
    • https://static.usrfiles.com/ugd/d54300_9f721620ce104d62b89cbf8a8b294ac2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007faa.bin
74ba480c26db5c7ee75fcee40a76d3eb1ee249d9cd1ebc4ee8be171bbbbeb25b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FAA 4872 bytes
font_01_sfnt_off00009048.bin
a665975aa1b91dbd18684486db1441a58241160f16e29467e685ec1e4cd4cc5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9048 11412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.