Malicious PDF — malware analysis report

Static analysis result for SHA-256 25bca0d8b2c0e429…

MALICIOUS

PDF

101.0 KB Created: 2020-09-20 21:50:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2206e569663267dad9536bc9e9d5b099 SHA-1: 06cde53c7f67fc284091a24bc2f59290019d9bc4 SHA-256: 25bca0d8b2c0e429581f3c47d2b634513bf6d543bf5047300f1614adb42d00ac
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains heuristics indicating it's a malicious redirector and part of a link farm, masquerading as an invoice or payment lure. The embedded URL, https://ttraff.cc/wix?keyword=project+management+the+managerial+process+5th+edition+solution+manual+free+download, is a critical indicator of malicious intent, likely leading to further compromise. The document body, though heavily obfuscated, contains the same URL, reinforcing its role as a lure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=project+management+the+managerial+process+5th+edition+solution+manual+free+download
    • https://130a3db5-6552-4ed9-b06b-e36685a9fffb.filesusr.com/ugd/d9e9a0_9cd72e3a05d34a1a9a3570b853fc753f.pdf?index=true
    • https://2575a91a-a411-4d61-b682-edcad8e749ea.filesusr.com/ugd/ad2ade_81d0ca60d69c4591953f3ef30ba5f60f.pdf?index=true
    • https://3bd6ba18-dc80-4efe-973f-858874beb841.filesusr.com/ugd/9d869b_f38752b0520342498f91b48ed826019e.pdf?index=true
    • https://01c4aa1e-9836-42c7-a2e2-daa5efe8e1c8.filesusr.com/ugd/cb4a18_a09a2f9527664548bd005c95e43d28aa.pdf?index=true
    • https://e2bd0e7e-b18e-4483-9837-6ef3dc0d5540.filesusr.com/ugd/5b5da7_73e232382a734eb2a6e502ccfa664b43.pdf?index=true
    • https://1c6b9839-951f-468e-bf53-29a616ff21a9.filesusr.com/ugd/ab922d_dc7f36cc476948598fde534b4604d6c7.pdf?index=true
    • https://b718d987-4439-4fcc-b40c-eca9c97cd312.filesusr.com/ugd/7ea8bb_2b7a02940b08451793ba579a59fc311a.pdf?index=true
    • https://5ad84fff-4652-4999-8c91-54f3508a8c8c.filesusr.com/ugd/a2d007_bc52286e4d50433bafb0fb990ccbe46f.pdf?index=true
    • https://7cd524cc-4333-46b0-90ea-2739e4f7fef3.filesusr.com/ugd/f0f215_1909305c3fbe4c8e852b78118fcaeaf0.pdf?index=true
    • https://fe797f02-72fa-4987-bd49-06a94323deb5.filesusr.com/ugd/9f2514_9dd03231b4414b518651ef8964ba2eb7.pdf?index=true
    • https://530bd252-3e3e-456b-87f9-232d85fce8bb.filesusr.com/ugd/3dd68e_5837b2b01c0a4775a10fdfe8a38cf608.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0428/1538/9855/files/559697878.pdf
    • https://cdn.shopify.com/s/files/1/0434/2228/5976/files/puwujugozuralavivivat.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012a89.bin
51fdace8bd53b7d2e6af2c0ab3a57c298b99a0f760d42a36c32010743562cd6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A89 1684 bytes
font_01_sfnt_off000132bc.bin
f9c4b62c5d84c02e62bfe2169f02fba1c442c79cf6c30dd938ff37c8ebc8e449		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132BC 3696 bytes
font_02_sfnt_off00013fef.bin
790122fa13cc7834e5ee2794237d2ffb17da2ddc753582808d735d2b2a7b97c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13FEF 5864 bytes
font_03_sfnt_off000153d0.bin
561172c36e5ebce7fca48f4a8783ebce2926568e0e077996ce40566e918812fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x153D0 15392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.