Malicious PDF — malware analysis report

Static analysis result for SHA-256 30f5e6d7e89c64e7…

MALICIOUS

PDF

45.2 KB Created: 2020-09-13 20:40:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 813be712222141f81d83a289f5b3fce3 SHA-1: 4136fd34683f4510ae01bbe1100b5a56beeb2027 SHA-256: 30f5e6d7e89c64e738a4d9ed420bad1fc59a7a017530908bebf90bdb4d393f8a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded URLs, with a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.me/wix?keyword=wii+u+file+manager'. Another critical heuristic identified a PDF link farm, indicating a broad distribution attempt. The document body, though heavily obfuscated, contains references to 'Wii u file manager' and the malicious URL, suggesting a lure to trick users into clicking the link. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=wii+u+file+manager
    • http://files.masteringphotography.com/uploads/1/3/2/7/132712000/4092991.pdf
    • http://tatetuke.aliveandwellband.com/uploads/1/3/1/4/131453336/majufesiwilajam_sozabizo.pdf
    • http://files.illinoisdelta.org/uploads/1/3/2/6/132681938/2186787.pdf
    • http://files.groundsquirrelbmp.com/uploads/1/3/1/4/131407918/poxit-movibikefopogux-wowus-zonikanamot.pdf
    • http://files.diocesanchurchdevelopment.org/uploads/1/3/1/3/131384771/90f1a51.pdf
    • https://cdn.shopify.com/s/files/1/0432/4615/7992/files/rupture_hepatoma_guideline.pdf
    • https://cdn.shopify.com/s/files/1/0438/7792/5019/files/33953679933.pdf
    • https://cdn.shopify.com/s/files/1/0435/5152/2977/files/boogie_woogie_goose_piano_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0431/9451/5614/files/nuwafitogudataxevajokasow.pdf
    • https://cdn.shopify.com/s/files/1/0435/4818/0634/files/34515033594.pdf
    • https://cdn.shopify.com/s/files/1/0431/5666/8573/files/silicon_valley_s04e05_torrent.pdf
    • https://cdn.shopify.com/s/files/1/0437/6055/0046/files/the_hero_s_journey_chart_answers.pdf
    • https://static.usrfiles.com/ugd/4c7633_bef7f4b06fc3416792292147ab392cb5.pdf
    • https://static.usrfiles.com/ugd/bcfc12_43788d53cced4c89b246f47c98c1d113.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f07.bin
cdedd3f8bf6083c75cfe51d9e830a7c93766e591832ce2659703784a612770d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F07 4924 bytes
font_01_sfnt_off00007fbe.bin
62159050f5cb24c960d44f73d1de844494c09967089eae446ace669e55937a3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FBE 12440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.