Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c145b00d72d1a31…

MALICIOUS

PDF

44.6 KB Created: 2020-08-23 02:16:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f316363bb64026c7344b2303383a2fb6 SHA-1: 313e2a83d7c8f18fe31c18b8bfd1c5451745b2ea SHA-256: 2c145b00d72d1a31acb0d403e0328f671da866be66d6ad7066a94321155c2117
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link pointing to 'ttraff.com', which is flagged as malicious. Additionally, it exhibits characteristics of a link farm, with numerous external PDF links, many hosted on Shopify. The presence of an MFA lure heuristic suggests an attempt to harvest credentials or session tokens. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure for 'gb whatsapp app apk for ios'.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=gb+whatsapp+app++apk+for+ios
    • http://files.burlingtonveloclub.org/uploads/1/3/2/7/132740965/1238461.pdf
    • http://files.womensoutdoorweekends.co.uk/uploads/1/3/2/7/132710700/7924301.pdf
    • http://musodaw.susan-mcmahan.com/uploads/1/3/0/7/130775557/vugajatod.pdf
    • http://xewiron.cambridgeman.com/uploads/1/3/1/3/131382133/ada9077acd2b.pdf
    • https://cdn.shopify.com/s/files/1/0431/9461/3924/files/basic_applied_mathematics_for_the_physical_sciences_download.pdf
    • https://cdn.shopify.com/s/files/1/0427/9861/2636/files/angry_birds_2_2._0_1_apk.pdf
    • https://cdn.shopify.com/s/files/1/0428/3973/6487/files/65868679902.pdf
    • https://cdn.shopify.com/s/files/1/0431/9281/1669/files/bomezojo.pdf
    • https://cdn.shopify.com/s/files/1/0431/2216/3876/files/62255350911.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pujar.pdf
    • https://cdn.shopify.com/s/files/1/0429/4747/7667/files/telesis_merlin_software.pdf
    • https://cdn.shopify.com/s/files/1/0427/9658/1020/files/jujokelovenetitibubiwemew.pdf
    • https://cdn.shopify.com/s/files/1/0430/8185/9225/files/kezizewuratolawekim.pdf
    • https://cdn.shopify.com/s/files/1/0428/8475/9711/files/2264261599.pdf
    • https://cdn.shopify.com/s/files/1/0431/8553/7175/files/95969485614.pdf
    • https://cdn.shopify.com/s/files/1/0429/2454/0071/files/65414192943.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000670d.bin
a7830af281c6d7b61dc692724ea72cf36a7ea757c697155e9fdc4833d1a940fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x670D 1768 bytes
font_01_sfnt_off00006fb4.bin
9024e86c85949c89763e8c3d2a3a5ad2732bf4ff093c91c251dcf82a86331ded		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FB4 5284 bytes
font_02_sfnt_off000081c2.bin
46da9d240c75284d19a090a0bf671058c442f8738b4e2ef746ae38fafeedc068		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81C2 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.