Malicious PDF — malware analysis report

Static analysis result for SHA-256 23437b888c5a7d38…

MALICIOUS

PDF

134.5 KB Created: 2020-09-02 12:00:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6be7becff3cf043e3d679e352c735950 SHA-1: 47896981e6412bf796e6770414faaac6f6099d88 SHA-256: 23437b888c5a7d387ded79fca77c915ddc89785d74e96f6061e12565015a1b7e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'ttraff.me'. The document body, though heavily obfuscated, contains the same URL. This indicates the primary goal is to redirect the user to a malicious site, likely for further exploitation or credential harvesting. No scripts were extracted, and the PDF structure itself is not inherently malicious beyond the embedded link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=loctite+5699+technical+data+sheet
    • https://static.usrfiles.com/ugd/b8c837_ad69518613604b57992494a838919344.pdf
    • https://static.usrfiles.com/ugd/71fd01_ac609a01440d4cbabf179479303005e1.pdf
    • https://static.usrfiles.com/ugd/b8c837_9b379de2e3ad4784b77d7e57621d9fbe.pdf
    • https://static.usrfiles.com/ugd/83f04e_82cc842a6ac54bf7ae53c821f23207f2.pdf
    • https://static.usrfiles.com/ugd/8aba0c_f2b16c408f1b4d72b32a8eafe3e0ccb9.pdf
    • https://cdn.shopify.com/s/files/1/0447/9116/9185/files/38_latin_stories.pdf
    • https://cdn.shopify.com/s/files/1/0432/0113/4754/files/wanafamiwovigamuvutiv.pdf
    • https://static.usrfiles.com/ugd/f63f29_0e7ba47b033d4bcca0c3e99d7d8b4910.pdf
    • https://static.usrfiles.com/ugd/f96b02_56a9de9f0ff2441d9b6d5ff64d262ec3.pdf
    • https://static.usrfiles.com/ugd/3cb679_da6f5d8c12914a4a937e44051a71e2dc.pdf
    • https://cdn.shopify.com/s/files/1/0447/9034/9975/files/vegafufigefizoleruzitu.pdf
    • https://cdn.shopify.com/s/files/1/0431/2920/8983/files/munokeguwedozomevufa.pdf
    • https://cdn.shopify.com/s/files/1/0434/7346/9597/files/namorikejediwanovoketedo.pdf
    • https://cdn.shopify.com/s/files/1/0434/1009/6284/files/47689751435.pdf
    • https://cdn.shopify.com/s/files/1/0435/0682/7428/files/sogakukevoxorilusubirumop.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001c818.bin
5c9dd51be1aebafdb1bc8551b8f10b16fbe6560ab3c46819d8ee1270b7903860		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C818 5304 bytes
font_01_sfnt_off0001da25.bin
7c92686256f20773b957bcf4f279778d9e0fb6da0caf5e86fc7ffb9f0a50b55b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DA25 16368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.