Malicious PDF — malware analysis report

Static analysis result for SHA-256 345ddd8fbfa6d6b3…

MALICIOUS

PDF

41.1 KB Created: 2020-08-31 05:07:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a2d0e0b5ac0f394aa46e074cd60056f SHA-1: 3b91a6e32f126c25c88727e025a41d39ed64bed7 SHA-256: 345ddd8fbfa6d6b3954da57fe32dc8db59bb790f0020b2392822ff1d0f31ab17
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=performance+appraisal+examples+pdf'. The document body, though heavily obfuscated, also contains this URL, suggesting it's intended to lure the user to a malicious site under the guise of providing performance appraisal examples. The file also contains a large number of embedded links, many of which point to Shopify domains, but the primary malicious indicator is the ttraff.cc redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=performance+appraisal+examples+pdf
    • https://cdn.shopify.com/s/files/1/0440/1872/9125/files/47146908506.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/53551688275.pdf
    • https://cdn.shopify.com/s/files/1/0463/2576/0155/files/56290788826.pdf
    • https://cdn.shopify.com/s/files/1/0428/3429/6988/files/footway_group_ab_annual_report.pdf
    • https://cdn.shopify.com/s/files/1/0432/6031/3763/files/22832998604.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sasukeseduvemuledup.pdf
    • https://static.usrfiles.com/ugd/07625c_2ccccedae7bc4757a9cebf042b4fa4ce.pdf
    • https://static.usrfiles.com/ugd/21e6f2_c4cc9060ed944562b688d3e2686a8f93.pdf
    • https://static.usrfiles.com/ugd/db1da1_71d712e18445468ca32179f4f96a0657.pdf
    • https://static.usrfiles.com/ugd/b8c837_4b3ccff3355c4b72882e361250503326.pdf
    • https://static.usrfiles.com/ugd/e23fbb_f04cc1c5ee2749cdac028334262b7458.pdf
    • https://static.usrfiles.com/ugd/756799_a76ffecd07864c158be55f48f2aa9821.pdf
    • https://static.usrfiles.com/ugd/de02f3_c7d27e15099e41ea96d0775677744557.pdf
    • https://static.usrfiles.com/ugd/b8c837_eab1f5ba57d3473eb3ce059b61ccb77c.pdf
    • https://static.usrfiles.com/ugd/aff7ca_bb6ba34c73c3481986f0481aa26cb8d3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://static.usrfiles.com/ugd/07625c_2ccccedae7bc4757a9cebf042b4fa4c

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063d6.bin
18ca31ecc243a9ddf647ca7ccfb3f4e6cdbc291bf51a84bb16141429f78860d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63D6 5372 bytes
font_01_sfnt_off000075f6.bin
b03e5ef011ff5aac1056bdd23288c22c4f169fffd795e7f9c15b9a94d922e39c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75F6 9696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.