Malicious PDF — malware analysis report

Static analysis result for SHA-256 2667fb1dbd7c6c22…

MALICIOUS

PDF

33.5 KB Created: 2020-09-19 07:19:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10c9a70f45ec3661ead41a70c3ff39d4 SHA-1: 6b5b983d1c4b1c49736d056cd29489daa2c11875 SHA-256: 2667fb1dbd7c6c228c32b79169fbd9fa61236816b6073bdc9f7a14f9c29e51a5
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for an advance-fee scam lure, indicating a deceptive social engineering tactic. It also contains numerous embedded links, with one pointing to a known malicious redirector at 'https://ttraff.me/wix?keyword=rider+flip+flops+near+me'. The document body, though heavily obfuscated, contains this URL, reinforcing the malicious intent. The presence of a link farm further suggests an attempt to distribute malicious content or traffic.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=rider+flip+flops+near+me
    • http://files.rampcheckglobal.com/uploads/1/3/0/7/130739450/2092493.pdf
    • http://manuf.timetravelproductions.com/uploads/1/3/0/8/130814995/3797387.pdf
    • http://fexep.heavenstinyangels.com/uploads/1/3/0/7/130738792/fitamerativo_fodez_silorukivawofop.pdf
    • http://files.aosfb.com/uploads/1/3/1/1/131163752/4081120.pdf
    • http://files.bridgetsboldbelievers.com/uploads/1/3/0/8/130874111/bugekofameleseb.pdf
    • http://files.kwaywholesale.com/uploads/1/3/2/7/132712057/471896.pdf
    • https://4534a27c-cfe8-4524-90a1-05aa1c961d2e.filesusr.com/ugd/b16523_35c49475562f40eabcdaa1daf7c6cb00.pdf?index=true
    • https://d7c68e5b-6c49-45d0-a25e-d7e983d844e3.filesusr.com/ugd/1e8759_3514086c8d5a44239a86f34551917920.pdf?index=true
    • https://86825e53-1e80-4af1-99d5-2ecb07446902.filesusr.com/ugd/a72fa8_927d481b19cf4661a4fd614343722320.pdf?index=true
    • https://fd913b13-bf9e-4d64-9409-0668e5ddedef.filesusr.com/ugd/ede58b_d4f52d84814347a484e2b0197e974751.pdf?index=true
    • https://7649e07c-3fed-47e5-a95f-70217adac2aa.filesusr.com/ugd/008a9f_d2a7b5cc2f2a4548af4f8e2a24a29f56.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000430d.bin
e368a54663ffaee5d219d777a3243f2db9b444d8fd6615b7bf4cd8cf526e6923		 pdf-font-stream PDF embedded font (sfnt) at offset 0x430D 5196 bytes
font_01_sfnt_off000054a8.bin
dbc6d1d384de9a5fa96fcdbc62041e70dc302f4e11af84c4108dae6e826458b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54A8 10804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.