Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ec6535f707c3cfb…

MALICIOUS

PDF

40.3 KB Created: 2020-09-16 21:26:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b8cab0703ee3cd98bd50046b451a2f8 SHA-1: 8c7c3f839cfa6b78856629e4dc43baa69c07b2d7 SHA-256: 3ec6535f707c3cfb761bf7a465adc869949462d970f56b34abee5ff6e4a394f8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to redirect users to malicious infrastructure, specifically disguised as a "Black and decker grass hog xp owners manual". The primary malicious URL is https://ttraff.club/wix?keyword=black+and+decker+grass+hog+xp+owners+manual. The document body is heavily obfuscated and contains embedded URLs, suggesting a social engineering tactic to drive traffic to potentially malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=black+and+decker+grass+hog+xp+owners+manual
    • http://jibupenum.just-verandas.com/uploads/1/3/1/4/131408024/5480193.pdf
    • http://files.georgisztojanov.com/uploads/1/3/0/7/130739470/8980b562bcf27b.pdf
    • https://e69fcb53-1179-40c9-be1b-fe5b123f9ec4.filesusr.com/ugd/a382ee_b39fb7c22387457ea8910b8ca7e5b65c.pdf?index=true
    • https://3bbadb02-0c53-4fe9-8bcd-a675c04ba983.filesusr.com/ugd/724bd4_45f1e0a4005341b794114c44bc093dfd.pdf?index=true
    • https://a59e653a-90d4-49db-8563-2c96d0041e7e.filesusr.com/ugd/80fd5d_7768358bd7a64abcb52bb4c7cc59c00f.pdf?index=true
    • https://ab04190d-d745-4643-aae8-977c01e8272e.filesusr.com/ugd/429b25_0a7f4b367576443daacf15ff1dc95d66.pdf?index=true
    • https://26ac6772-3093-431b-82ad-cad14d4e3625.filesusr.com/ugd/ac8c68_ef5c1edf35f94bdb8731d379ebe630fc.pdf?index=true
    • https://aaca2562-5397-4bf5-b556-016ca0616acb.filesusr.com/ugd/b0b521_4bc961ac02844a2f89d996786b8e2779.pdf?index=true
    • https://8ca5948f-371d-4082-a034-05d36754d221.filesusr.com/ugd/11b39a_50407ae588d9478cac2c33a666d1678e.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/0737/7567/files/cdte_solar_cell.pdf
    • https://cdn.shopify.com/s/files/1/0428/9714/6019/files/89505353038.pdf
    • https://cdn.shopify.com/s/files/1/0437/8171/8173/files/badri_tamil_movie_audio_songs.pdf
    • https://cdn.shopify.com/s/files/1/0427/4195/6775/files/lankhmar_city_of_adventure.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cea.bin
4eb2b82c596be9bb94ca7bf3bd1f4ad1ad72b0c7ce86f433419ca02188bd65ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CEA 5760 bytes
font_01_sfnt_off00007076.bin
76394850886027f075a7a164f4aa309499be16f4a4ee90b9092d064e89555043		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7076 10492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.