Malicious PDF — malware analysis report

Static analysis result for SHA-256 377ec66aa6955d57…

MALICIOUS

PDF

37.8 KB Created: 2020-08-29 13:56:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 484cee397d6e434267a99adfbf181601 SHA-1: c8ebe29354e013249df0a6af8b13ac4b326e56cb SHA-256: 377ec66aa6955d573cfe007ab53c5ece1f12fb8f020ad5cddaff0f80d3ae2dcc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'https://ttraff.com/wix?keyword=house+with+half+an+acre'. This indicates the document's primary purpose is to redirect users to a potentially harmful external site. The document body, though heavily obfuscated, contains the same URL, reinforcing the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=house+with+half+an+acre
    • https://static.usrfiles.com/ugd/b8c837_87d310fa013448ffb91548e2e9a5dae6.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed34aca71a40419b9ec8ee211011c7d6.pdf
    • https://static.usrfiles.com/ugd/b8c837_62e9944362b448d381a9bce733d3be2d.pdf
    • https://cdn.shopify.com/s/files/1/0434/6380/3046/files/vandana_nirankari_information.pdf
    • https://cdn.shopify.com/s/files/1/0429/9502/4033/files/64790333952.pdf
    • https://static.usrfiles.com/ugd/b8c837_1bb815f7052643ddb9520f07d89f548e.pdf
    • https://static.usrfiles.com/ugd/b8c837_a81ace8223e44e36bc80f160beee2555.pdf
    • https://static.usrfiles.com/ugd/b8c837_6dbcdaef125f4c728bf5d08a2e289b9d.pdf
    • https://static.usrfiles.com/ugd/b8c837_1cca151932c04f19ba94db3104cbf18e.pdf
    • https://cdn.shopify.com/s/files/1/0460/6561/5003/files/32308957690.pdf
    • https://cdn.shopify.com/s/files/1/0437/4790/1592/files/isometric_drawing_lesson.pdf
    • https://cdn.shopify.com/s/files/1/0435/8144/0168/files/vofozaridogusivedututive.pdf
    • https://cdn.shopify.com/s/files/1/0431/0682/8454/files/64248499575.pdf
    • https://cdn.shopify.com/s/files/1/0437/3394/2423/files/91965387152.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e38.bin
4f8df229b355448b081035bea610614a498277a256a3816aca1ebb9f126766e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E38 5024 bytes
font_01_sfnt_off00005f50.bin
0e0af0288786097253fd4f717a629e4b9663be04bba7bbc0e355be6572237e21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F50 13940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.