Malicious PDF — malware analysis report

Static analysis result for SHA-256 34f28881acdeb69f…

MALICIOUS

PDF

50.3 KB Created: 2020-08-30 15:51:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7fd389cc74cc5503c7de26ac72fad855 SHA-1: 6bcb3716405a6d29537d1e768247e284d94ab472 SHA-256: 34f28881acdeb69ffa43381dc0d8a9c3b071c7b3e4083d6a9c3d6dce90f1e9c4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/wix?keyword=pelvic+massage+techniques', which is flagged as malicious. This suggests the document's primary purpose is to redirect users to a malicious site, likely for phishing or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=pelvic+massage+techniques
    • https://static.usrfiles.com/ugd/9d869b_ee14e8cd41e64d97acfe2e0e2b810e47.pdf
    • https://static.usrfiles.com/ugd/b8c837_0b5c84a9abae4ccda056b9ca426630ea.pdf
    • https://static.usrfiles.com/ugd/b8c837_9c2b311fd0604e8ab69bc6dafbfeca05.pdf
    • https://static.usrfiles.com/ugd/accd1f_ab40ceae2ce64434a1975f8edf6a5439.pdf
    • https://static.usrfiles.com/ugd/b8c837_4c6641363833409b82816d758d0509e3.pdf
    • https://cdn.shopify.com/s/files/1/0429/9928/3861/files/45218940780.pdf
    • https://cdn.shopify.com/s/files/1/0432/4501/1112/files/comparative_adjectives_list.pdf
    • https://cdn.shopify.com/s/files/1/0436/0955/5107/files/33_septa_bus_schedule.pdf
    • https://cdn.shopify.com/s/files/1/0431/8032/7070/files/mexico_customs_declaration_form_2018.pdf
    • https://cdn.shopify.com/s/files/1/0432/2761/1300/files/48200568997.pdf
    • https://cdn.shopify.com/s/files/1/0437/8099/7269/files/magic_bullet_recipe_book.pdf
    • https://cdn.shopify.com/s/files/1/0433/3505/7559/files/albumin_kit.pdf
    • https://cdn.shopify.com/s/files/1/0437/1942/6197/files/62535344130.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/23342697578.pdf
    • https://cdn.shopify.com/s/files/1/0433/4397/0463/files/pibitegapefatakowilutudi.pdf
    • https://cdn.shopify.com/s/files/1/0433/4298/7423/files/bootstrap_templates_admin.pdf
    • https://cdn.shopify.com/s/files/1/0434/4823/8242/files/calidad_total_y_productividad_descargar.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000087ea.bin
8b2ceaa3575e25c2bf1dca7faf25f093b65777b5af88fea5dc82ebef8d8c86e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87EA 5304 bytes
font_01_sfnt_off000099d7.bin
8725e8ff8c2ca649a43fd1850de92c23251467665e9535cb420fede3eb147986		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99D7 10024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.