Malicious PDF — malware analysis report

Static analysis result for SHA-256 22d99a76899bb589…

MALICIOUS

PDF

52.7 KB Created: 2020-08-20 07:14:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4da182ac57266e469bbd7286cea4693a SHA-1: 2f845987ea894e044a4349fb5cac998b70e322d3 SHA-256: 22d99a76899bb589302c2b0b058d4859372c6c080b49d8b00a4a1efcfb8c6862
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic firing indicates that the PDF links to known malicious redirector infrastructure, specifically 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL. This suggests the document's primary purpose is to lure users to malicious sites, likely for further exploitation or phishing.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=puchd+date+sheet+2019+m.+com
    • http://files.wardragons.info/uploads/1/3/1/8/131871704/sepogome.pdf
    • http://liketaji.andoverwarriorbaseball.com/uploads/1/3/1/4/131453133/xexijevanebebo.pdf
    • http://files.docrhi.com/uploads/1/3/1/4/131437380/1576148.pdf
    • http://files.pressserviceinternational.org/uploads/1/3/1/3/131383771/1d6e5.pdf
    • https://cdn.shopify.com/s/files/1/0429/7578/9215/files/3908758338.pdf
    • https://cdn.shopify.com/s/files/1/0430/2651/4077/files/hotel_design_planning_and_development.pdf
    • https://cdn.shopify.com/s/files/1/0430/0223/2983/files/xupunigaviwupuwebuji.pdf
    • https://cdn.shopify.com/s/files/1/0435/5211/2804/files/19606027156.pdf
    • https://cdn.shopify.com/s/files/1/0434/2225/3205/files/evaluate_homework_and_practice_answers_geometry.pdf
    • https://cdn.shopify.com/s/files/1/0430/1645/4305/files/rafogaxuw.pdf
    • https://cdn.shopify.com/s/files/1/0429/6392/7203/files/27486467779.pdf
    • https://cdn.shopify.com/s/files/1/0433/2702/9400/files/sexikinid.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000672b.bin
dae4e96a7196fa767422bb7f5cafb891d4801f1c62dffc9d3e1ee5fc39fcc953		 pdf-font-stream PDF embedded font (sfnt) at offset 0x672B 5564 bytes
font_01_sfnt_off000079ee.bin
7bb91423d63eb6bd7c2657278979848d60b7d38679106ec23dbd755ba6ab3d32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79EE 2320 bytes
font_02_sfnt_off0000843e.bin
a359e39797aea5d1c11da33408ea3d7fb2ae711bfa22c6e832cdd6e66608ff3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x843E 13880 bytes
font_03_sfnt_off0000b03f.bin
5f3bf50395e8d1b65f29ab90a426c3665da69f8437ae50e88eef237d5e22552a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB03F 16224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.