Malicious PDF — malware analysis report

Static analysis result for SHA-256 33bde07d96a83e38…

MALICIOUS

PDF

39.6 KB Created: 2020-09-02 00:13:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c528d20b4f9b27165162cb0cea72442 SHA-1: 73d55e8f0c1e04b301c23ba474e9f0b453d52e1b SHA-256: 33bde07d96a83e38305c7d2a6900d307b34cd1cefc10881b49f79dfa2a371a10
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, 'https://ttraff.com/wix?keyword=report+abandoned+car+auckland', is flagged as a malicious redirector. The document body, though heavily obfuscated, appears to contain text related to reporting abandoned cars, suggesting a lure to disguise the malicious intent. The presence of numerous external PDF links points towards a strategy of SEO poisoning or a broad phishing campaign.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=report+abandoned+car+auckland
    • https://static.usrfiles.com/ugd/a31856_b56930d888d44511b26f3f033562521f.pdf
    • https://static.usrfiles.com/ugd/4e6dd5_f4cc4dc65625489baf9d1503861a084e.pdf
    • https://static.usrfiles.com/ugd/a01749_229b97543f42404880bc4eb92dc582be.pdf
    • https://static.usrfiles.com/ugd/b8c837_363a21300852470bb82d5ec650e2785c.pdf
    • https://static.usrfiles.com/ugd/8ab72e_66fcb1181a6b4c6f9323b319b2b6cc45.pdf
    • https://static.usrfiles.com/ugd/6f53d7_78f2f934c61f42bd806963514c08353f.pdf
    • https://cdn.shopify.com/s/files/1/0433/9345/0134/files/93531091884.pdf
    • https://cdn.shopify.com/s/files/1/0439/4683/6123/files/tobozate.pdf
    • https://cdn.shopify.com/s/files/1/0465/7679/5815/files/73306314637.pdf
    • https://cdn.shopify.com/s/files/1/0440/1519/0181/files/ios_7._2._1_apps_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/9546/5892/files/cara_bikin_cv_format.pdf
    • https://static.usrfiles.com/ugd/b8c837_51d76e8191ad4e54acb8116c35b0e87a.pdf
    • https://static.usrfiles.com/ugd/b8c837_8152c4a5c290404e8e07b713c42156b9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d94.bin
39e78118faf00a70e8d0135037395dd9b4db8e56898970c9ba7a64fadc404357		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D94 5100 bytes
font_01_sfnt_off00006efc.bin
3d5834d8f0a958485c0300bd76dcb585eda47bdc57fc71dfd758d42f8dcd3cde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EFC 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.