Malicious PDF — malware analysis report

Static analysis result for SHA-256 22e188cd898271ba…

MALICIOUS

PDF

48.9 KB Created: 2020-09-06 21:23:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4baa50a83b20e90080dfb5e76f407cf9 SHA-1: fa3f9fa91b92184624ae760cccc1893363ce7b28 SHA-256: 22e188cd898271ba29c0d6646c246366255453868efe6b1863cda454745c0928
168 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a lure to download Google Chrome, which is a common pretext for malware delivery. The document body and heuristics indicate the presence of a malicious redirector link pointing to 'ttraff.club'. This link is likely intended to lead the user to a malicious payload. The PDF also contains a large number of external links, suggesting a link farm or SEO poisoning attempt to increase visibility.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=google+chrome+for+ubuntu+16.+04
    • https://static.usrfiles.com/ugd/accd1f_d80731837a1f475fb3085094b54e67ff.pdf
    • https://static.usrfiles.com/ugd/a01749_33fd6232fec542d39b34dc11db00c0d7.pdf
    • https://static.usrfiles.com/ugd/c1615c_a205b4c97e0a491080b40ceb7c2e0e15.pdf
    • https://static.usrfiles.com/ugd/03dcd4_db30ff96a9ba48ab88a0de5be9e78fff.pdf
    • https://static.usrfiles.com/ugd/b8c837_131b139a46394c5aaed18cd7a6a23c7e.pdf
    • https://static.usrfiles.com/ugd/b0b521_3011d720248d4a4281a63c8addf2f7eb.pdf
    • https://static.usrfiles.com/ugd/2b25b5_4c3f93c6f046485a9da50927f0128b08.pdf
    • https://static.usrfiles.com/ugd/b27199_6262b83a534240bf9a891ef866295b9b.pdf
    • https://static.usrfiles.com/ugd/0d9a50_04b4b8be3a4e46dca13a8be5f6dd337c.pdf
    • https://static.usrfiles.com/ugd/8d46c2_ac288cbcbda341a691a4cbe388c37b57.pdf
    • https://static.usrfiles.com/ugd/bb4607_eece62872f06472281b707e16c8aa81b.pdf
    • https://static.usrfiles.com/ugd/08fe48_043aebed183b4f9d9ab4be4c0108d353.pdf
    • https://cdn.shopify.com/s/files/1/0434/7101/2006/files/biogeochemistry_an_analysis_of_global_change_3rd_edition.pdf
    • https://cdn.shopify.com/s/files/1/0434/0862/1719/files/diraxanusajalemapa.pdf
    • https://cdn.shopify.com/s/files/1/0431/9117/3277/files/14802228686.pdf
    • https://cdn.shopify.com/s/files/1/0431/5011/4965/files/difference_between_validity_and_reliability_in_research.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070ed.bin
e5bfecac0578ba3879c9fcfb1d5da2fbebe4dad5e4d4af2f6aa7bd4fd4a38b11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70ED 5380 bytes
font_01_sfnt_off00008332.bin
10c4ffd1894258c80f341fee49020e3961976234d4bca71cdcbdf8d2329329bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8332 11060 bytes
font_02_sfnt_off0000a874.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA874 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.