Malicious PDF — malware analysis report

Static analysis result for SHA-256 31196aed10442002…

MALICIOUS

PDF

58.2 KB Created: 2020-10-16 21:11:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7db3918f338b13aa577dfd2c02bc6ee4 SHA-1: 47d4e947d86c07eb312237c43cbff9d940cb26a1 SHA-256: 31196aed10442002ca253df5edc8ca67591409efabb6e688f783c9d7e16f7040
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link to 'ttraff.me' which is flagged as a malicious redirector, and the document body explicitly mentions 'Imichat download for android'. The PDF also contains a large number of embedded links, many pointing to cdn-cms.f-static.net, suggesting a link farm or SEO poisoning tactic to drive traffic to malicious sites. The primary intent appears to be social engineering users into downloading a potentially malicious Android application.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/123?keyword=imichat+download+for+android
    • https://cdn-cms.f-static.net/uploads/4365613/normal_5f86f651ce858.pdf
    • https://cdn-cms.f-static.net/uploads/4365547/normal_5f870bb21cee7.pdf
    • https://cdn-cms.f-static.net/uploads/4367916/normal_5f87c1922f548.pdf
    • https://cdn-cms.f-static.net/uploads/4370063/normal_5f885dcd9f58c.pdf
    • https://cdn-cms.f-static.net/uploads/4366400/normal_5f871a1370804.pdf
    • https://cdn-cms.f-static.net/uploads/4366645/normal_5f875b9712d59.pdf
    • https://cdn-cms.f-static.net/uploads/4366623/normal_5f875929e9042.pdf
    • https://cdn-cms.f-static.net/uploads/4366036/normal_5f871ad03d873.pdf
    • https://cdn.shopify.com/s/files/1/0471/0649/0518/files/pythagorean_identities_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0486/4786/4478/files/ditevajumebegetekulatuto.pdf
    • https://cdn.shopify.com/s/files/1/0435/1826/3448/files/68143766627.pdf
    • https://cdn.shopify.com/s/files/1/0430/1937/0659/files/sabatti_urban_sniper_223_rem.pdf
    • https://cdn.shopify.com/s/files/1/0434/2913/4487/files/444_marlin_rifle.pdf
    • https://cdn.shopify.com/s/files/1/0486/0762/5374/files/31865198035.pdf
    • https://cdn.shopify.com/s/files/1/0431/7125/0333/files/11828167432.pdf
    • https://cdn.shopify.com/s/files/1/0503/6687/3798/files/filtrete_thermostat_installation_manual_3m-22.pdf
    • https://cdn.shopify.com/s/files/1/0437/2040/9256/files/histology_epithelial_tissue_worksheet_answers.pdf
    • https://cdn.shopify.com/s/files/1/0435/0646/6976/files/metric_system_handout_worksheet_integrated_science_1_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0438/9529/2059/files/miss_america_nurse_speech.pdf
    • https://cdn.shopify.com/s/files/1/0429/3220/7782/files/jinudiwinasejixoxap.pdf
    • https://cdn.shopify.com/s/files/1/0434/7507/5225/files/wiwuburogogilu.pdf
    • https://cdn.shopify.com/s/files/1/0482/7902/7867/files/calculate_implied_volatility_excel_vba.pdf
    • https://cdn.shopify.com/s/files/1/0433/9436/7655/files/boylston_house_of_pizza_menu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000098e6.bin
95249ff9baca77f2f249808c52f0e2ad5d9049df4bc57238fe8dbc33bc021146		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98E6 5112 bytes
font_01_sfnt_off0000aa27.bin
219c25540b29fd473ec79c27554ee46265e2697cc302bdd274651937b025d3ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA27 15820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.