Malicious PDF — malware analysis report

Static analysis result for SHA-256 302796c81775f089…

MALICIOUS

PDF

64.0 KB Created: 2020-09-03 02:33:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60b5a83db71bac8e29a7a80356bf5f0b SHA-1: e5881754f759ff2f7b2b2135f03e5e30f93d60a8 SHA-256: 302796c81775f08980c5b777e30ae41e060523868036064746e2c682a9b7e694
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=eclipse+c+cdt'. This indicates an attempt to direct the user to a malicious site under the guise of providing information related to 'Eclipse c cdt'. The PDF also contains a mass external PDF link farm, further supporting a malicious intent to distribute content or redirect users. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=eclipse+c+cdt
    • https://cdn.shopify.com/s/files/1/0438/8493/7384/files/38433869459.pdf
    • https://cdn.shopify.com/s/files/1/0428/9118/2243/files/maresu.pdf
    • https://cdn.shopify.com/s/files/1/0432/6123/1262/files/65082722119.pdf
    • https://cdn.shopify.com/s/files/1/0435/4031/6319/files/16423056754.pdf
    • https://cdn.shopify.com/s/files/1/0429/7962/3071/files/23449549755.pdf
    • https://static.usrfiles.com/ugd/4d400c_57bd66fc73254d2bb8e1a766ae89c4e9.pdf
    • https://static.usrfiles.com/ugd/b58d21_397c7248ccca4844a9936b88ecffb45d.pdf
    • https://static.usrfiles.com/ugd/bd5c68_2f8dab6067874ae9bcb2caf101ef4a55.pdf
    • https://static.usrfiles.com/ugd/b8c837_a29c0173d06040b0b845b4705acdf5d5.pdf
    • https://static.usrfiles.com/ugd/0ad6c7_6b41d73f9fb54543bbbd1e88fe6a8f8a.pdf
    • https://static.usrfiles.com/ugd/b8c837_ec67cc3a1201451396d892e0c2da5cc6.pdf
    • https://static.usrfiles.com/ugd/0d9a50_dc672b50bdcd4e62a5ba29393f564525.pdf
    • https://static.usrfiles.com/ugd/72b0e7_893d8cac159c4c1aa86939383adc360c.pdf
    • https://static.usrfiles.com/ugd/c33cdb_f3dcf20b8a244573bb46b3c586997904.pdf
    • https://static.usrfiles.com/ugd/f3cb45_d5161179e5dd42c787612432b1bca6d0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000aace.bin
390e8c42d76d0076d20c9bec2adffec862b44d9e68deade416b9409395148276		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAACE 4288 bytes
font_01_sfnt_off0000b963.bin
9334a59a48b51ec38b943f32d32c0498399fefd75c10e7fe3ed32a078fc1aa30		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB963 13836 bytes
font_02_sfnt_off0000e548.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE548 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.