Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c759cb769666509…

MALICIOUS

PDF

45.0 KB Created: 2020-08-23 09:39:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 95edac7da700fe13d236e564abe11bfe SHA-1: 123007f102b09d57ac6cd86c8fa2f96fc8fa01f7 SHA-256: 3c759cb76966650931c93ef7231b928b61b59995105b78df79b74247ce42f4db
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a link farm and a direct link to a known malicious redirector, ttraff.cc. The document body, though heavily obfuscated, contains text related to running a Linux VM on Android, likely a lure. The primary malicious IOC is the redirector URL, which is designed to lead users to further malicious content. The PDF structure and link farm suggest a social engineering attack aimed at driving traffic to malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=run+linux+virtual+machine+on+android
    • http://tefurafu.vitalmoves.net/uploads/1/3/1/3/131384714/buwugulov.pdf
    • http://gujun.thegratitudeproject.ca/uploads/1/3/1/4/131438684/meregubirubazaf-pinazasedor.pdf
    • http://files.budreau.ca/uploads/1/3/0/9/130969791/5846279.pdf
    • http://pazuw.staidans.ie/uploads/1/3/2/7/132711949/28599.pdf
    • http://gepawogo.dianedailydose.com/uploads/1/3/0/7/130775735/wadab_pikigatum_larozipi_savomezuniva.pdf
    • https://cdn.shopify.com/s/files/1/0437/2119/5688/files/coleman_tent_air_conditioner.pdf
    • https://cdn.shopify.com/s/files/1/0431/6125/6091/files/xijifikukopasexidijerifog.pdf
    • https://cdn.shopify.com/s/files/1/0437/7939/1637/files/odisha_cabinet_minister_list_2020.pdf
    • https://cdn.shopify.com/s/files/1/0430/8267/8433/files/where_do_league_replays_go.pdf
    • https://cdn.shopify.com/s/files/1/0430/6986/6141/files/zawapilofazij.pdf
    • https://cdn.shopify.com/s/files/1/0448/3075/2930/files/32037369481.pdf
    • https://cdn.shopify.com/s/files/1/0439/0273/0408/files/affairs_cloud_current_affairs_july_2019.pdf
    • https://cdn.shopify.com/s/files/1/0427/7341/4055/files/zopameji.pdf
    • https://cdn.shopify.com/s/files/1/0438/2323/5232/files/nisojab.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064cf.bin
47e1d0a3e17462197a70ce678220093eb03b367f4005490302c13d1ee9e7fe4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64CF 5020 bytes
font_01_sfnt_off000075ad.bin
f1fe333ee37884cd5234feed07f8c2cb06cb97267dc5484954ca82032099438c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75AD 10384 bytes
font_02_sfnt_off0000992c.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x992C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.