Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d75d9d5b6d0bb23…

MALICIOUS

PDF

106.3 KB Created: 2020-09-06 02:19:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1bc377447617cf17ca860f4c64c837d0 SHA-1: c5950f6834eea3c2aaee3bcc0685782adb3d5f63 SHA-256: 1d75d9d5b6d0bb23f6dd98d85c39a50c93ec34a2204e909d3bcaee3107c9f919
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.me/wix?keyword=bilibili+video++2018'. Additionally, it exhibits a PDF link farm behavior, with 30 generated SEO PDF links, suggesting an attempt to manipulate search engine results. The document body, though heavily obfuscated, contains the malicious URL and keywords that align with the lure. The presence of a password archive lure heuristic indicates a potential multi-stage attack.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=bilibili+video++2018
    • https://static.usrfiles.com/ugd/0bcf16_d190cdfc80df4fa489ea3efee16891f5.pdf
    • https://static.usrfiles.com/ugd/dc98cc_411b96b45d0c4c5fb7383f244ef31ea7.pdf
    • https://static.usrfiles.com/ugd/d54300_dd1b5a2b0ef84b7ab80402bddf56531d.pdf
    • https://static.usrfiles.com/ugd/c1de29_603088ab85164c029787aaa7b8c00360.pdf
    • https://static.usrfiles.com/ugd/99a8f2_d5a89ec0e621480d8951ab18f39dba3b.pdf
    • https://static.usrfiles.com/ugd/0779a3_13f28ea2c3e243b0b0e7d73ebe9fdb8d.pdf
    • https://static.usrfiles.com/ugd/37428b_7f9e3f5c33484a48b3ba8671d1084c1e.pdf
    • https://static.usrfiles.com/ugd/2486b5_2feb6009bc234b05af1e21ee5ba8b3de.pdf
    • https://static.usrfiles.com/ugd/ade4e6_c2ee72243dff4214bd459c942c3c36cb.pdf
    • https://static.usrfiles.com/ugd/c0a468_baa2ce9867a94a13b87d4fd9724b8b11.pdf
    • https://static.usrfiles.com/ugd/2eec94_7ab3fd1a62d54a72abb61e6bab0d4bf3.pdf
    • https://static.usrfiles.com/ugd/62e2c1_5aa17e3770e5437f8e90dfe05a9e068d.pdf
    • https://static.usrfiles.com/ugd/0994f9_3fc188c0c8c24d0aa632db0071d52604.pdf
    • https://static.usrfiles.com/ugd/87fdc7_89019b32a5394e4a9f56f503acb130b5.pdf
    • https://static.usrfiles.com/ugd/2f7815_761f1663a0244d1eb8b58f7d4dac9249.pdf
    • https://cdn.shopify.com/s/files/1/0435/0607/3759/files/sejemofavezinute.pdf
    • https://cdn.shopify.com/s/files/1/0428/1411/1903/files/vujimosapomowubepuku.pdf
    • https://cdn.shopify.com/s/files/1/0431/6043/6896/files/254762699.pdf
    • https://cdn.shopify.com/s/files/1/0439/2537/3083/files/alchemy_crafting_guide_eso.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d65b.bin
b3e2d2f615f925e433e504f6d6e5f665dff1ca42c1e26f898d235464caedd2ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD65B 45524 bytes
font_01_sfnt_off000160a3.bin
c86d54535d7d95ef610dd8c889b2a835a6f25c62322bc427940b66481420c6db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x160A3 5104 bytes
font_02_sfnt_off00017222.bin
1c3f2528b788c6661ccd119596ae36d34aa0080931f81272eae06f5971f22604		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17222 12876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.