Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b3729dc5f5d07b9…

MALICIOUS

PDF

44.7 KB Created: 2020-09-01 01:44:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 97d9c8e792f6c7d41552affeb7d26169 SHA-1: db7eeb2a26174543594aff97080171066541299f SHA-256: 3b3729dc5f5d07b945f0f2fc7d5108d3ff6c98e80fe115aaf022c9b3cff42546
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a lure related to an 'Australia tourist visa checklist' and embeds multiple links. One critical heuristic indicates a malicious redirector link pointing to 'ttraff.cc', which is known for malicious activity. Another heuristic flags the PDF as a link farm, containing numerous external PDF links, many hosted on Shopify. The document body, though partially corrupted, contains the lure text and the malicious URL. The primary attack pattern involves social engineering to trick users into clicking a malicious link, likely leading to further compromise.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=australia+tourist+visa+checklist+pdf
    • https://cdn.shopify.com/s/files/1/0433/9875/8557/files/wavinarokilotev.pdf
    • https://cdn.shopify.com/s/files/1/0437/5268/5717/files/pdf_xchange_viewer_64_bit.pdf
    • https://cdn.shopify.com/s/files/1/0431/5702/9019/files/vuxemonofokeb.pdf
    • https://static.usrfiles.com/ugd/b8c837_8d6882410fd848d0a33e1b415cfd021a.pdf
    • https://static.usrfiles.com/ugd/b8c837_ba8a2f2db8b14466b97b3b22b514a429.pdf
    • https://static.usrfiles.com/ugd/2e4eb4_c6aec932fc3b4fc0ac758611e6a1779d.pdf
    • https://static.usrfiles.com/ugd/b28561_ba94b73c0d5e44c5a28f16faaf3a5e8e.pdf
    • https://static.usrfiles.com/ugd/b8c837_7ecafe7353ed4ead9ff7b02385f5eb06.pdf
    • https://cdn.shopify.com/s/files/1/0437/3830/0568/files/78371601410.pdf
    • https://cdn.shopify.com/s/files/1/0429/8987/9445/files/95723263798.pdf
    • https://cdn.shopify.com/s/files/1/0465/3986/6270/files/46606992234.pdf
    • https://cdn.shopify.com/s/files/1/0435/0240/3750/files/national_library_of_pakistan_islamabad_membership_form.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071cc.bin
44c8b8c28c112b1a0e05acdf3d17d1303467ec8e1f3c2ad08d3cf3dd3f1e1b9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71CC 5356 bytes
font_01_sfnt_off00008408.bin
7223323ef468ce1b391e9fbd94360f94abcb257310907c1cb3daf8776c87093b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8408 10000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.