Malicious PDF — malware analysis report

Static analysis result for SHA-256 26f15ae9f4250d66…

MALICIOUS

PDF

42.8 KB Created: 2020-09-02 12:03:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d1ce18b41f14ef8c6d6830bf5bfdec9 SHA-1: f3f8ea56095730e28b2ebc9bcced9e059139957b SHA-256: 26f15ae9f4250d66e3421bcc55b0c280e4248db7fe677ae7665daf5030445f08
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=residential+building+floor+plan+pdf'. The document body, though heavily obfuscated, also contains this URL, suggesting it's intended to trick the user into clicking it. The file also contains a large number of embedded links, many pointing to Shopify domains, which is characteristic of SEO spam or link farm tactics used to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=residential+building+floor+plan+pdf
    • https://static.usrfiles.com/ugd/b8c837_22a277fea62c494f8fa2f190366ff8c7.pdf
    • https://static.usrfiles.com/ugd/5d2cf3_b78c7acb593e452f8d22695a345eedcb.pdf
    • https://static.usrfiles.com/ugd/b8c837_34b899ffa7ce4a47b708cf60390c11b2.pdf
    • https://cdn.shopify.com/s/files/1/0437/7794/9848/files/pelasubugemekivededesol.pdf
    • https://cdn.shopify.com/s/files/1/0437/2188/3816/files/audient_zen.pdf
    • https://cdn.shopify.com/s/files/1/0433/4528/1183/files/lumowutur.pdf
    • https://static.usrfiles.com/ugd/13ae68_7bc07d04a7534258adf46acd2cfc0823.pdf
    • https://static.usrfiles.com/ugd/856cea_28599c766a3e4493a9a839d790958e12.pdf
    • https://static.usrfiles.com/ugd/b8c837_d875483a2744488dac7ae11cefa3fc74.pdf
    • https://cdn.shopify.com/s/files/1/0437/6195/9069/files/gba_emulator_mac.pdf
    • https://cdn.shopify.com/s/files/1/0431/5830/6980/files/formal_dresses_brisbane_shops.pdf
    • https://cdn.shopify.com/s/files/1/0432/1227/5870/files/international_accreditation_forum.pdf
    • https://cdn.shopify.com/s/files/1/0435/9897/1038/files/bubudoram.pdf
    • https://cdn.shopify.com/s/files/1/0431/3150/2749/files/st_blends_worksheets.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a94.bin
a7d241f067f66800876e946f01f921bf5fc5946c3c6a0b4bd9af7d8a9094f65e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A94 5356 bytes
font_01_sfnt_off00007cd8.bin
83175490bebd293487862ed1fc99f23c507c6682f61d50985d3b6adebb333fba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CD8 9904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.