Malicious PDF — malware analysis report

Static analysis result for SHA-256 30b2563447c62b0f…

MALICIOUS

PDF

141.4 KB Created: 2020-08-29 20:08:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 81f46c16063ef3d42a86e1af796cc4c3 SHA-1: c11724e6287f161acd46bc3029c2e608da334486 SHA-256: 30b2563447c62b0f0c4a4e0bd22d742002798a57fab66fdf62a8dfddc9f4c8ec
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=mp3ape+free+download'. This URL is presented within the document body, suggesting a social engineering lure to trick users into downloading content. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to benign content hosting sites, likely to obscure the malicious redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=mp3ape+free+download
    • http://mp3ape.com
    • https://cdn.shopify.com/s/files/1/0435/4048/0164/files/college_panda_act_essay.pdf
    • https://cdn.shopify.com/s/files/1/0429/6402/5493/files/xevedajunepikewag.pdf
    • https://cdn.shopify.com/s/files/1/0431/5080/3099/files/83371367338.pdf
    • https://cdn.shopify.com/s/files/1/0447/2622/3001/files/3950375512.pdf
    • https://static.usrfiles.com/ugd/b8c837_0480742dd71943639538b7cb4bedafa8.pdf
    • https://static.usrfiles.com/ugd/e2c250_334311b2a95d44d58646cd8a48feb172.pdf
    • https://static.usrfiles.com/ugd/b8c837_d11437a55e144f4ba2404a42807a9aa8.pdf
    • https://static.usrfiles.com/ugd/b8c837_0cbf90df8ae845fba507f72abba8354c.pdf
    • https://static.usrfiles.com/ugd/b8c837_465b0c3ebe4b43219b3f6ec87d22ccf5.pdf
    • https://cdn.shopify.com/s/files/1/0439/3621/9291/files/goxepedulalo.pdf
    • https://cdn.shopify.com/s/files/1/0428/1411/1903/files/jarixevuso.pdf
    • https://cdn.shopify.com/s/files/1/0432/5310/4790/files/69649243216.pdf
    • https://cdn.shopify.com/s/files/1/0427/8976/5276/files/james_bond_spectre_clothing_guide.pdf
    • https://cdn.shopify.com/s/files/1/0466/3200/9893/files/ingramspark_requirements.pdf
    • https://static.usrfiles.com/ugd/ab059d_87f4d76b8b6c4777b6a0498083c39577.pdf
    • https://static.usrfiles.com/ugd/590778_218c2b1c511245a881319f8f9ce5d373.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001e5f8.bin
ea5404c5640b255d5fecf5e69acf45f70c6d4cc8aedaa6b2d81c662adb841edf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E5F8 5120 bytes
font_01_sfnt_off0001f78d.bin
a026c8ba0b27b6b62a65172c5c37687afcfa2ea5197d845e8f0d17c0fd36e0ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F78D 15796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.