Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a6b956915ea893d…

MALICIOUS

PDF

49.5 KB Created: 2020-09-06 23:19:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61952394fb370285ac65bf0eb31cbb18 SHA-1: bd21da7306223b85c12938e76e3b606c2d3d0b17 SHA-256: 2a6b956915ea893da5d9ca28a6238aa3e6d4c13f69c6825f11ec9bf1cd612416
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm and a specific redirector URL disguised as a salary slip template. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK indicates that the primary URL, https://ttraff.me/wix?keyword=modele+bulletin+de+salaire+2019+pdf, leads to malicious infrastructure. The PDF_SEO_LINK_FARM heuristic suggests a large number of links, with the first being https://cdn.shopify.com/s/files/1/0433/3846/5435/files/the_hangover_full_movie.pdf, indicating a potential SEO poisoning or link farm tactic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=modele+bulletin+de+salaire+2019+pdf
    • https://cdn.shopify.com/s/files/1/0433/3846/5435/files/the_hangover_full_movie.pdf
    • https://cdn.shopify.com/s/files/1/0431/1878/8774/files/h_e_c_p_full_form.pdf
    • https://cdn.shopify.com/s/files/1/0437/6929/9098/files/kavefolowetedulekaxo.pdf
    • https://cdn.shopify.com/s/files/1/0433/4066/0895/files/hospital_bed_sheets_uk.pdf
    • https://static.usrfiles.com/ugd/906e9f_edd725ad70a440fe97e75f20c3ea14ab.pdf
    • https://static.usrfiles.com/ugd/e948c1_a1c7e7f33cac48c49749955acbdb4543.pdf
    • https://static.usrfiles.com/ugd/0511f5_15339b5384fe4a9191ad5ec9e0ef7e31.pdf
    • https://static.usrfiles.com/ugd/a3b54b_debd77b03ca941d5b9488cad2413c976.pdf
    • https://static.usrfiles.com/ugd/bd1fc0_6f01545927ae4722bdc2823d45ff7b39.pdf
    • https://cdn.shopify.com/s/files/1/0437/7883/4583/files/icloud_photo_sharing_android.pdf
    • https://cdn.shopify.com/s/files/1/0429/4275/9071/files/october_calendar_2020_printable.pdf
    • https://cdn.shopify.com/s/files/1/0431/1577/4108/files/razutenolip.pdf
    • https://cdn.shopify.com/s/files/1/0438/3349/1606/files/data_analysis_report_structure.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007016.bin
ec9f10570c4370277b218a0e952c4b299293a4afc4e5010621ac451bd91ef6ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7016 5544 bytes
font_01_sfnt_off000082f6.bin
7ea8f511f276daeb194caf721c35d3ff764bfc3f93b184f4d5bc2e958e13fd6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82F6 12012 bytes
font_02_sfnt_off0000a935.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA935 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.