Malicious PDF — malware analysis report

Static analysis result for SHA-256 411ec6954feafe49…

MALICIOUS

PDF

48.1 KB Created: 2020-09-19 01:41:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ea8c03be5c89126c148d4eb84fa575c SHA-1: f0e25043f0c2ec3d1ac865bdb7d320183d2ee1df SHA-256: 411ec6954feafe4945cc4fa751eaa0d4f2632cf07534a11d5629e7d4d7b61e0f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=lucas+k2f+magneto+repair+manual'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, including 'https://2aabcaf2-593b-41b3-b7cb-83d310f13e45.filesusr.com/ugd/8a4248_596920bfdccb44b3b589ce98a01ec961.pdf?index=true'. The document body, though heavily obfuscated, contains text fragments suggesting it is presented as a repair manual, likely to entice users to click the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=lucas+k2f+magneto+repair+manual
    • https://20b64233-1e09-4c42-88c0-83f4b8956ff
    • https://2aabcaf2-593b-41b3-b7cb-83d310f13e45.filesusr.com/ugd/8a4248_596920bfdccb44b3b589ce98a01ec961.pdf?index=true
    • https://54348873-aec0-413a-886e-a812a5e68dfe.filesusr.com/ugd/87a178_c7ad9d11d5bb4b0b94f29a979c621cfb.pdf?index=true
    • https://91dfa9f7-f962-497b-a74c-64469e5a1f68.filesusr.com/ugd/61f964_b9cba2b0653146efa2b34cd0bd63fbef.pdf?index=true
    • https://d0eb23bb-fb5d-4b79-8893-ae583cb32620.filesusr.com/ugd/d8966e_37017aa694ac4b77aa35c1ac330f7865.pdf?index=true
    • https://d01ac257-6172-43e8-a8f3-afd05592b7d0.filesusr.com/ugd/4bdc6d_be6e7d15915e4be1a6bc528cbbe02b45.pdf?index=true
    • https://4e553879-1d18-4e40-812b-3b8dfa322783.filesusr.com/ugd/decf6f_6037c71c329246e9ab8231fda407a422.pdf?index=true
    • https://15fea0cb-154c-4503-9c63-8b86d55fa5c0.filesusr.com/ugd/8ac1ab_35356ed5916d43418ea4d41d1f81862e.pdf?index=true
    • https://104cd4ad-e955-464d-a9f9-cafb650d322c.filesusr.com/ugd/e2a635_a9e95c62b47b4bfea5cded6648ad140e.pdf?index=true
    • https://c9da5205-dbe9-4ca1-9b69-487a45d15f27.filesusr.com/ugd/73c254_1c9b5d72032e4555a479f570c3b98bf7.pdf?index=true
    • https://83dfb280-0593-4722-aa0d-ef6c5be92224.filesusr.com/ugd/275374_a28746fa8bb341109a1c2034ba34e7dc.pdf?index=true
    • https://8f4390fb-6aa3-44a8-a067-6c503d55170e.filesusr.com/ugd/3d0627_2d635d27dbf1420bad78771086fcd1c3.pdf?index=true
    • https://a2491fe5-ec54-4325-967f-76410202c5b5.filesusr.com/ugd/b98abb_f2f7a90d40984a10bbcdd4480dadf4ff.pdf?index=true
    • https://80c7db92-fdca-4f96-bada-ccb11a6f7cdc.filesusr.com/ugd/764aaa_c92d6fda06014a099c1e51caff274b74.pdf?index=true
    • https://12185421-d5fb-4401-ac35-1992b8545940.filesusr.com/ugd/9c66ff_8d479955b9df43319ef3541931850542.pdf?index=true
    • https://4b752d8b-ba3a-4ae3-b886-c7c60598edc5.filesusr.com/ugd/882da0_2b9cad9ee19946a5998956f3533fe45f.pdf?index=true
    • https://20b64233-1e09-4c42-88c0-83f4b8956ff8.filesusr.com/ugd/2c8d66_4ca73d0f7b9b42f784a8b83b62d7ef7b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d42.bin
1bebb26b36f78e8808640e1fb1a58f172928e6ed18602b1a8fdb0cb3a6a748f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D42 5356 bytes
font_01_sfnt_off00007f6a.bin
158ccda21543a7a6b428a5694ad8ac2cb652eaab1b6936c7f71f333c587edd6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F6A 11176 bytes
font_02_sfnt_off0000a581.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA581 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.