Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b03e04c4cb2469a…

MALICIOUS

PDF

34.1 KB Created: 2020-09-20 23:09:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ba4a25038296ee3c4751c8f964c6605 SHA-1: 3a87daffc23615db179c67689c67d095875c486a SHA-256: 3b03e04c4cb2469a42fd0bcfb2c93326fe30ad66d177a1be6da7cd082e118aa9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with one critical heuristic identifying a link to known malicious redirector infrastructure. The embedded URL, 'https://ttraff.me/wix?keyword=nulaxy+bluetooth+fm+transmitter+change+station', is likely intended to lead the user to a phishing or malware distribution site. The document body, though heavily obfuscated, contains references to product names and the URL, suggesting a lure to a potentially malicious site disguised as product information.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=nulaxy+bluetooth+fm+transmitter+change+station
    • https://7ee6b665-5d27-4ddc-b883-dbde59cf556c.filesusr.com/ugd/3b6424_d071105e74e94661bd427ec6064c2e59.pdf?index=true
    • https://8ea43f5e-afad-45b4-8806-6bf0a0b2c84a.filesusr.com/ugd/73cb9e_97423ee979d341cf81bf5c6bea17d1ef.pdf?index=true
    • https://53feaeaa-e768-4cf1-94ca-a08019704f64.filesusr.com/ugd/3b47cb_5fcec24fc0a74dd1898a584924de9746.pdf?index=true
    • https://127d7244-0a4b-4660-93f7-cf362c66db78.filesusr.com/ugd/15ebe2_9a96c0e98a5c441295d1df4dd0b26318.pdf?index=true
    • https://2328a3d2-197a-4bf7-9f62-998720a7c84e.filesusr.com/ugd/f68081_2399cda855eb43b19d4ca83b4133632d.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/1763/3945/files/90954899750.pdf
    • https://cdn.shopify.com/s/files/1/0480/1511/4399/files/cessna_182_skylane_specs.pdf
    • https://cdn.shopify.com/s/files/1/0431/2583/3884/files/norton_antivirus_cracked.pdf
    • https://cdn.shopify.com/s/files/1/0434/5289/1298/files/78568589897.pdf
    • https://d6885bf6-c3f5-4424-847f-1811970b2139.filesusr.com/ugd/ee4d88_8b1e234b57144c03aba83de9114ea53c.pdf?index=true
    • https://c8ed8c5a-a6bd-46a2-a983-2cab53387758.filesusr.com/ugd/dba42a_49145a29f7cd431990e3f53fb722d2a2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004692.bin
284d54ca38a1419fdaac0c572ccc681c41d5a06f838100a9e28b5eaa0b82677a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4692 5576 bytes
font_01_sfnt_off00005974.bin
9725ec2217adbf7122aa3ec34ddb8087cd1d2402a86a93dc18f64281becd5e9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5974 10016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.