Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c1595eafe935b11…

MALICIOUS

PDF

38.1 KB Created: 2020-09-17 10:01:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04f5e2045780ae39d57c3e3cf2b0b587 SHA-1: d4be7602c0b738a448ae22f115418793480841b1 SHA-256: 3c1595eafe935b112f12183f065cf4a5a883021e8fe622c93350e7d7c1973aaf
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a malicious redirector link disguised as a source for 'Metropcs music ringtones'. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms this link points to known malicious infrastructure. Additionally, the PDF_SEO_LINK_FARM heuristic indicates a large number of embedded links, suggesting a broad phishing or malware distribution attempt. The SE_CALLBACK_LURE heuristic further suggests a phishing context, possibly aiming to trick users into calling a fraudulent support number.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=metropcs+music+ringtones
    • https://49a576a0-7c1a-4e32-bc3b-bcd4d8d6b191.filesusr.com/ugd/d90490_08393e7ab7214408908c9ad9ce00d2bd.pdf?index=true
    • https://cb06d98b-665f-4ed5-a610-03bf4c3cee3e.filesusr.com/ugd/9b7d8a_a306c10117a94cb694a6fa01d6571d9e.pdf?index=true
    • https://4a3e87bb-8c71-4b95-b32c-5586b173bc41.filesusr.com/ugd/dec231_1ec99946e41d46dcbd6d8529f9f86bd4.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0428/5222/1091/files/16087201553.pdf
    • https://cdn.shopify.com/s/files/1/0431/1829/7245/files/words_starting_with_u.pdf
    • https://cdn.shopify.com/s/files/1/0434/9889/7574/files/85472857495.pdf
    • https://cdn.shopify.com/s/files/1/0429/4259/5239/files/gopabifusoxipodexepozon.pdf
    • https://e74f2e43-f843-4b4f-b55e-2a5c9e84c2ae.filesusr.com/ugd/c12414_3e67fb504c904b69879445eb8fc427d0.pdf?index=true
    • https://50236835-349e-4dbc-b5e7-5f77497492a2.filesusr.com/ugd/8a4248_6012ee2658284f9b863a9832207c8c29.pdf?index=true
    • https://57e07adf-96da-4aef-b733-1ad3c76d7a8d.filesusr.com/ugd/834936_228c8865757945dba909daef11934c1f.pdf?index=true
    • https://dcf20d3a-b698-4e31-839d-fb428777e5e3.filesusr.com/ugd/d61b30_e96a31ee95dd4df09190e7cd9ca99a11.pdf?index=true
    • https://fa87514e-d7cc-46f4-b76e-c5226dd554fd.filesusr.com/ugd/d8966e_35d76e46e04e4a8a9d23133592689d9f.pdf?index=true
    • https://a233e90e-9ffb-4f5d-ad39-488ad94b8060.filesusr.com/ugd/011e4b_5278e99cc75e4d508833ffc7bb2ca9e7.pdf?index=true
    • https://b9ba9c3a-7638-4977-878a-b41a5e818638.filesusr.com/ugd/229b11_e27efb1049d948a78384c002aa0613c3.pdf?index=true
    • https://ebc38bd6-de7f-432b-973e-8b26d196daef.filesusr.com/ugd/9734e7_0c7fe0cd6ce542c8ab61931f9bb63bdf.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000056ce.bin
f3d3b68553457bfde243645746e4aa623203154123e7e2cfd3681118ffb6dac4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56CE 5016 bytes
font_01_sfnt_off000067d9.bin
fdc1359b676f03af8f85b714e3961a6f34e7ce1a6419c698a064afe8b1360ce7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67D9 10504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.