Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b0ad142ab584ebb…

MALICIOUS

PDF

36.1 KB Created: 2020-09-22 00:20:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c124e02ca1f0664e6ef7e6e246ce546 SHA-1: 22395a070b920f5db3a5ffdd1f2cf26958019f01 SHA-256: 3b0ad142ab584ebb8e00903638a8106ddd24bd40a0456f034ad7828b7a8c220f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.me, which is disguised as a George Foreman roaster manual. The document also exhibits characteristics of a link farm, embedding numerous other PDF links, many hosted on Shopify. The primary malicious URL is https://ttraff.me/wix?keyword=george+foreman+roaster+manual, which is likely intended to lead the user to a phishing or malware download site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=george+foreman+roaster+manual
    • http://tanasobo.gearedforgrowth.co.uk/uploads/1/3/1/3/131379206/vusadakojidop.pdf
    • http://files.wendyestorgamusic.com/uploads/1/3/2/7/132741225/xitujejasudub.pdf
    • https://cdn.shopify.com/s/files/1/0431/6925/1487/files/gcse_music_theory_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0435/9910/2110/files/spice_finch_song.pdf
    • https://cdn.shopify.com/s/files/1/0458/9748/2394/files/car_registration_renewal_form_texas.pdf
    • https://cdn.shopify.com/s/files/1/0435/6440/0798/files/golang_template_range_string_array.pdf
    • https://cc1482b6-20e3-480e-9327-6bc942ceabe6.filesusr.com/ugd/3826db_d6007f7968524f9587e2f3d2acc25ea8.pdf?index=true
    • https://81394e64-2694-4571-b540-23f0e00ef9bb.filesusr.com/ugd/1e533a_1c33539100ed4a81958607ffe62c9e0e.pdf?index=true
    • https://b991fe70-645b-456e-9494-a877e634d717.filesusr.com/ugd/1e52da_c48ddd1b036142679ef04e3d27cbbc43.pdf?index=true
    • https://08057e50-85a4-47c4-b80a-4a8abc53a3b7.filesusr.com/ugd/fd30ac_b4f043702e684acbacc683a4100b61d5.pdf?index=true
    • https://a2a5e65c-d43d-4007-935f-112280f70f17.filesusr.com/ugd/cf9ff1_c6fc3ef61bff44d09e65c4a77ee93316.pdf?index=true
    • https://7dadc834-dcd1-4ded-ab48-b53e3b3561ec.filesusr.com/ugd/7c30af_27e78c3fbce54935b6a8e5620742cd83.pdf?index=true
    • https://9728bc04-5cb7-427c-bbbe-e0be52d9ebe6.filesusr.com/ugd/35e1ce_fa4e6998d73140f0b664d0da44415689.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ecb.bin
d3711778b0f077357a8e610c539eaa902a6b320957d9cfd5f7cbe5bc87855c90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4ECB 5116 bytes
font_01_sfnt_off0000601e.bin
3b87a17f68656b326e44398508172e22bc5ecaa3109edf044c97152e1b45a54f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x601E 10432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.