Malicious PDF — malware analysis report

Static analysis result for SHA-256 3db55a8a32f5f3c7…

MALICIOUS

PDF

37.5 KB Created: 2020-08-30 06:05:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 473a0a016b64a321e013cdd9e35f41e5 SHA-1: 08d773a7325160146629a946b4871af0ff05866c SHA-256: 3db55a8a32f5f3c739af68eb4de4f51388001a8f3ee37d03bdd329948bda6869
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=db2+tutorial+pdf'. This indicates an attempt to redirect the user to a malicious site, likely for phishing or malware distribution. The document body, though heavily obfuscated, contains references to the same URL and other benign-looking PDF links, suggesting a lure to disguise the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=db2+tutorial+pdf
    • https://static.usrfiles.com/ugd/87b9a8_1122201b8b2f439a9619998973449587.pdf
    • https://static.usrfiles.com/ugd/87a178_13268178e1c7445ea0b246b06b2e91b4.pdf
    • https://static.usrfiles.com/ugd/5de1df_bd68af788f924160adbe8d77e2f147c8.pdf
    • https://cdn.shopify.com/s/files/1/0433/1008/8360/files/20179765614.pdf
    • https://cdn.shopify.com/s/files/1/0428/5428/5479/files/11170782020.pdf
    • https://static.usrfiles.com/ugd/77eba6_8486945b75e94d7fb59d025654ac3cc9.pdf
    • https://static.usrfiles.com/ugd/b8c837_f6838e4ac79d4bb3b46e4367ecfe7b12.pdf
    • https://static.usrfiles.com/ugd/b8c837_ba86afe613074227a05aa2af7d7f609d.pdf
    • https://static.usrfiles.com/ugd/ca9b0a_7327fdb077f34660bc98bd024ba91ff0.pdf
    • https://static.usrfiles.com/ugd/ab922d_b16706ea80d74f4298f191b8956ab320.pdf
    • https://static.usrfiles.com/ugd/b8c837_7537b8bda36c4852a864750e6f42c8f7.pdf
    • https://static.usrfiles.com/ugd/badafb_0cbbd0f8decf4b2992dec95a67c6463f.pdf
    • https://static.usrfiles.com/ugd/b8c837_6860b9c7d6f949738318f04aabb7d47a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a8d.bin
733302cbe0f18e12c6a992f6da8ab2e0c869ce70b9f4c74fcdede070251bf47e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A8D 4784 bytes
font_01_sfnt_off00005ad9.bin
63420c4ed0956e91d6ee15444175c64d3ddb0bb88c01e37f4684a5b8eb3dd281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AD9 9548 bytes
font_02_sfnt_off00007b6f.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B6F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.