Malicious PDF — malware analysis report

Static analysis result for SHA-256 34d1755cff93877b…

MALICIOUS

PDF

45.1 KB Created: 2020-08-18 15:21:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93c8ef3fd6d93697683d6b3f712351c7 SHA-1: 1c6d59d6c27e58d6a8379d97f1594a5a946fb671 SHA-256: 34d1755cff93877b73615bcf8b3fa8f86f1010d38992b7fa41c8a0a377bde1df
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with a critical heuristic firing indicating a link farm. One of the primary links directs to a known malicious redirector service, 'ttraff.cc', which is likely used to obscure the ultimate malicious destination. The document body itself is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create documents for SEO manipulation or to host malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=empirical+research+pdf
    • http://files.voltsportswear.com/uploads/1/3/0/9/130969740/6481647.pdf
    • http://files.renatascakes.com/uploads/1/3/2/7/132710763/029cf1c527a3b.pdf
    • http://ruguzeka.hartlandmainehistoricalsociety.org/uploads/1/3/2/7/132741099/barupepabaku_falubasinefarix_jutunixafazite.pdf
    • http://files.artflockstudio.com/uploads/1/3/1/4/131453990/devasajukaruvo-foxegumuv.pdf
    • https://cdn.shopify.com/s/files/1/0433/7201/9877/files/bangladeshi_natok_2019.pdf
    • https://cdn.shopify.com/s/files/1/0437/1303/6439/files/barringer_ireland_business_model_template.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/90379225571.pdf
    • https://cdn.shopify.com/s/files/1/0437/7093/7498/files/vikijupagavenatopixu.pdf
    • https://cdn.shopify.com/s/files/1/0435/3576/1576/files/amd_earnings_whisper.pdf
    • https://cdn.shopify.com/s/files/1/0433/4895/1194/files/bivitixefejarewadefoninaz.pdf
    • https://cdn.shopify.com/s/files/1/0432/0650/8701/files/cable_pulling_tools.pdf
    • https://cdn.shopify.com/s/files/1/0432/5477/5970/files/voduzoxoten.pdf
    • https://cdn.shopify.com/s/files/1/0433/2145/8853/files/adwords_fundamentals.pdf
    • https://cdn.shopify.com/s/files/1/0434/4283/1522/files/nedemapolosomuwazuxu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073a1.bin
e579e47a245a54184a45598ac0d2556b71baa741d530401d38e72999b7c899b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73A1 5352 bytes
font_01_sfnt_off000085a2.bin
3f04913ac216767f0c1398e6c5cb66a850651e815d6c5319a82d47f5557246e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85A2 9900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.