Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e367874deda8e32…

MALICIOUS

PDF

49.1 KB Created: 2020-09-18 18:07:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 528b460943f027c803c7cd2c34bf8f8c SHA-1: a9c9a1404f734874e8ac0aae345a80a2fbf1de11 SHA-256: 3e367874deda8e324e140c7f1f7e8dee733d2c62e7fd7a13b26a8fc0e90a3026
128 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'https://ttraff.club/wix?keyword=aptoide+tv+apk+for+firestick'. Additionally, it features a PDF link farm with numerous external links, many pointing to benign files but originating from a suspicious domain. The presence of a 'download button' heuristic further supports the lure-based attack pattern. No scripts were extracted, but the combination of the malicious redirector and the link farm indicates a probable attempt to deliver a malicious payload or lead the user to a phishing site.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=aptoide+tv+apk+for+firestick
    • http://fekejow.fortis-fp.com/uploads/1/3/1/3/131380600/2624098.pdf
    • http://giget.maidans.org/uploads/1/3/1/6/131606598/858493.pdf
    • http://podepoxax.usssteinaker.org/uploads/1/3/0/7/130739783/7e72ef217139.pdf
    • http://banakomos.biblesage.com/uploads/1/3/0/8/130874133/fogomopibixetim_pafoveze_kobev_joredi.pdf
    • http://bilagowis.nebulafestival.com/uploads/1/3/1/4/131406226/8942321.pdf
    • https://fd64690e-493a-46f9-8777-66e2f97b42a9.filesusr.com/ugd/c33cdb_c02b1abe21bb451f98b2bae017689640.pdf?index=true
    • https://ec29483f-a319-42ad-95df-bdab0548d11d.filesusr.com/ugd/c638b7_a49a6a4546834135baba1308541694b6.pdf?index=true
    • https://147e4fd5-bc66-41d2-8737-19cbde675bba.filesusr.com/ugd/10a4aa_5ae01babfe35471a90eab5443e84bdb1.pdf?index=true
    • https://70f71f97-12b3-40f1-b04a-7290c48bdd68.filesusr.com/ugd/e1c37d_7567f6a1878347daba05ab9a2245b70e.pdf?index=true
    • https://59113be8-f350-4c05-bc34-fc713c9f69d8.filesusr.com/ugd/07e02c_803f33a7805b4a8280119dfce268af06.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/3070/8375/files/26056602261.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gejazopemovaro.pdf
    • https://cdn.shopify.com/s/files/1/0429/6055/2085/files/uchiage_hanabi_sheet_music_violin.pdf
    • https://cdn.shopify.com/s/files/1/0430/5348/2135/files/sparknotes_sir_gawain_and_the_green_knight.pdf
    • https://ef966b8a-7606-4e9a-a134-df2a3819e504.filesusr.com/ugd/0251f0_866b415c9b9d42b9b5ab286edc2e94a8.pdf?index=true
    • https://0652fccd-ac67-4743-8711-f5b12522b260.filesusr.com/ugd/d2cc1f_038f58734bba4fd388426eb461966ca7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://0652fccd-ac67-4743-8711-f5b12522b260.filesusr.com/ugd/d2cc1f_038f58734bba4fd388426eb461

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008251.bin
bcb8658b95f17b3d7f931e0fc244103700e2db79721338eb2a1c73f4c22afc0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8251 5228 bytes
font_01_sfnt_off00009439.bin
8fb144ccf316927d45c40c850d783e8a64ffd43af2a71feb42b9d6b01c61ea18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9439 10404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.