Malicious PDF — malware analysis report

Static analysis result for SHA-256 3dba0f1393e747d8…

MALICIOUS

PDF

64.9 KB Created: 2020-09-16 19:17:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80d8a4705208ef466e316ad84a9cef62 SHA-1: bb01cce6a5e60b52c0bc8f91249357090020c6a0 SHA-256: 3dba0f1393e747d8aa3d1790a8213758a23cb14daa72c41732210da4e5e02015
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.me/wix?keyword=blank+page+to+type+on+computer'. Additionally, it features a PDF link farm with numerous external links, including one hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the same malicious URL, suggesting a phishing or malware delivery attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=blank+page+to+type+on+computer
    • http://files.iamwhoiaminc.org/uploads/1/3/2/6/132681690/9155037.pdf
    • http://files.bnorthphotography.com/uploads/1/3/1/3/131398234/bofiwu.pdf
    • https://cdn.shopify.com/s/files/1/0437/0730/2037/files/best_website_to_songs_english.pdf
    • https://cdn.shopify.com/s/files/1/0433/1601/9355/files/7274321612.pdf
    • https://cdn.shopify.com/s/files/1/0482/8351/7092/files/cset_english_language_development_study_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/7508/4193/files/38066934625.pdf
    • https://2250da59-2b00-4533-bed1-c6d2f1d8e7e1.filesusr.com/ugd/738632_9af80e225ea043dd944b7c373f914d5c.pdf?index=true
    • https://aeab33c1-b2a0-43a1-94f5-88852cbf4812.filesusr.com/ugd/e50c99_8f43eb34ba99409995d31bebe68f18b5.pdf?index=true
    • https://7b5b7973-ad4e-441b-afa2-d0713d5a703f.filesusr.com/ugd/740d8c_4bda59d0197d43918849119249a999bd.pdf?index=true
    • https://425ab7ba-b0e7-46fb-b1e4-ac4bb5c1536f.filesusr.com/ugd/24deb6_ab665b08561942fa937cac7d7fc62085.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b794.bin
b7f317aa0f29cd34df008dc84d8f376d2685882a57a4a5cd0d86477d0adf885a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB794 2828 bytes
font_01_sfnt_off0000c18f.bin
a5a2a42f96ddfdab1a8d7e9538ad593d2eab9c52aa1db99a07fa454945c859ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC18F 5288 bytes
font_02_sfnt_off0000d38e.bin
f69d17492477ae7efb42d3cd3a17eff35a4010f2bbc8303336ebd082e68973ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD38E 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.