Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ba3f39a1d6fc432…

MALICIOUS

PDF

43.7 KB Created: 2020-08-31 00:44:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8de32f339a325871c68e2e696746e42e SHA-1: f9fe4f1d427e46e7771039e00e1186b648841ae3 SHA-256: 3ba3f39a1d6fc432ca009201c0c6d6d7389f3b3b3ac3beaf7ded4d3a5b3b4855
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=a+guide+to+it+technical+support+9th'. This URL is presented within the document body, suggesting a social engineering lure related to IT technical support. The PDF also exhibits characteristics of a link farm, with numerous external links, many pointing to Shopify domains, likely for SEO manipulation or to host further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=a+guide+to+it+technical+support+9th
    • https://static.usrfiles.co
    • https://cdn.shopify.com/s/files/1/0432/8095/7598/files/aggressive_behaviour_scale.pdf
    • https://cdn.shopify.com/s/files/1/0433/1651/0873/files/gukodulurasonituxet.pdf
    • https://cdn.shopify.com/s/files/1/0432/5241/6672/files/91593137204.pdf
    • https://cdn.shopify.com/s/files/1/0428/5349/9046/files/vizezobinefukifapizalabaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/5190/9274/files/kesibunewanimezixamo.pdf
    • https://static.usrfiles.com/ugd/565485_687e8c5ee1064fe582acd3f127c9e74e.pdf
    • https://static.usrfiles.com/ugd/b8c837_9dab5f8518744f5480a8a1142c8bc6f9.pdf
    • https://static.usrfiles.com/ugd/b88e3d_2c51cb987fb64eb3a3b2026ced5d3e49.pdf
    • https://static.usrfiles.com/ugd/286fb8_718225c697c948b49d1daa65e6694b91.pdf
    • https://static.usrfiles.com/ugd/99965f_5fb8db02e1b9406a9ccb9f24c94fc2be.pdf
    • https://static.usrfiles.com/ugd/b8c837_a86d8827fcc54690a3be15e679b07105.pdf
    • https://static.usrfiles.com/ugd/b972d5_7406624ea23a45ad8853f8818195938f.pdf
    • https://static.usrfiles.com/ugd/934fc3_84dfd4292b8041d89c7e2f377a8a0142.pdf
    • https://static.usrfiles.com/ugd/516574_5da82191198d407bad932cefb84a6d74.pdf
    • https://static.usrfiles.com/ugd/0047a4_dc123f0c0f524f2592da54841711f84d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006aca.bin
2b3072aeb89d45d7f717c0bf0cdc1f3029dba9ba22e0f8b2e94e35ae471883d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ACA 5480 bytes
font_01_sfnt_off00007d5c.bin
ea527244bc1660a6832285d1ba590e3b89b8053eb4980efdc1a400d6348e5aa3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D5C 10720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.