Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d8d8a9d665d66f2…

MALICIOUS

PDF

83.8 KB Created: 2020-09-02 19:48:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 234aeb4c995b4c50a545cf64b3b28c1e SHA-1: 06bd88c01bebfbe33d88e2c95bd965ca2818db25 SHA-256: 2d8d8a9d665d66f29b837b0c4765201a1381c003b27d06fd0edf8444b5aadd28
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a download button, aiming to trick users into visiting a malicious site. The document also hosts a link farm, suggesting an attempt to improve SEO for malicious content. The primary malicious URL identified is https://ttraff.me/wix?keyword=android+games+free++apk+offline.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=android+games+free++apk+offline
    • https://static.usrfiles.com/ugd/f46427_510cad806ff34eec824d4fd624dabc34.pdf
    • https://static.usrfiles.com/ugd/221f3a_5f5902dc460f4337a51556d40a06ce6e.pdf
    • https://static.usrfiles.com/ugd/b8c837_1f2214fddf9e40f7a60b0428f6b77bd5.pdf
    • https://static.usrfiles.com/ugd/b8c837_8684fceb92db480eb5711d996f6d6524.pdf
    • https://static.usrfiles.com/ugd/8c0e65_cb7eead4b89347d5881447c5fe26bd9e.pdf
    • https://static.usrfiles.com/ugd/0049ca_e7f7b2615815464ea8a7dfb4b2be32ab.pdf
    • https://static.usrfiles.com/ugd/b8c837_6b368c8b3df04095a262d74210bf78ad.pdf
    • https://cdn.shopify.com/s/files/1/0437/1379/0106/files/what_is_sequelize.pdf
    • https://cdn.shopify.com/s/files/1/0432/3724/5085/files/nakixito.pdf
    • https://static.usrfiles.com/ugd/067ecb_94df92aca8d44426ab4eca0c958243ad.pdf
    • https://static.usrfiles.com/ugd/f1d680_8f49876d1a93431fa25e78df92783c12.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2e0.bin
caa17876d21586122698cb769b505a95109c91218024cbc4cbc9e44c081d89de		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2E0 5416 bytes
font_01_sfnt_off0000f53c.bin
d33d11f1ed5a13db730c96e22d98b9fca10d498f4f974fa8bef7b6b80606ed0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF53C 9000 bytes
font_02_sfnt_off00010759.bin
eb7da6cb8591a0d411767b5ceb3566fbea29530c4f47c226c9d36c7163b7aa01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10759 10192 bytes
font_03_sfnt_off00012a78.bin
bc66a0c824976ad2ef20ab83c9c0f58d1f749f7fab132bc96df5313808cb146a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A78 16224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.