Malicious PDF — malware analysis report

Static analysis result for SHA-256 42effcad3b72b083…

MALICIOUS

PDF

46.6 KB Created: 2020-08-31 16:23:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1983edd92edd3916e568ba03d4be3720 SHA-1: 2165a950f4e0ccdd9bbe3edd76876176fdfedff2 SHA-256: 42effcad3b72b0839bb4bf42a7f3ce2861e117257ecaf530bdcaa29dded19170
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.club/wix?keyword=bentham+regular+free+font'. Additionally, it exhibits a PDF link farm heuristic, indicating a large number of outbound links, with one pointing to a Shopify URL. The presence of a visual download button lure further supports a social engineering attempt. The document body, though heavily obfuscated, contains the malicious URL, suggesting the document's purpose is to trick the user into clicking it.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=bentham+regular+free+font
    • https://cdn.shopify.com/s/files/1/0437/0586/0248/files/91140939695.pdf
    • https://cdn.shopify.com/s/files/1/0433/4904/9499/files/68663388552.pdf
    • https://cdn.shopify.com/s/files/1/0431/4667/4338/files/54344049095.pdf
    • https://cdn.shopify.com/s/files/1/0432/5654/5433/files/8143359157.pdf
    • https://cdn.shopify.com/s/files/1/0435/2330/9727/files/46787661082.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed2fe5c954c0403892702dc696a2b420.pdf
    • https://static.usrfiles.com/ugd/3615fb_d59cc1a7ed264b66bf7411b971670963.pdf
    • https://static.usrfiles.com/ugd/9dda13_272b3241a53646f2b7337e0d580e14fa.pdf
    • https://static.usrfiles.com/ugd/b8c837_931b0e9b7100493282f08215d2cce20d.pdf
    • https://static.usrfiles.com/ugd/d9d1f5_ef6c618b531f408ea611e03f80882a7b.pdf
    • https://static.usrfiles.com/ugd/b8c837_f7ff80c11ae94b4089f18f942b4414f5.pdf
    • https://static.usrfiles.com/ugd/b8c837_127b7f64e5fe454c97d8858f93b75350.pdf
    • https://static.usrfiles.com/ugd/b8c837_7ab01781d3474c49a422571828fbf4a2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006764.bin
027a58d36aeb7056e63f5b02d2b624fc901c5261384a8351ef5dfc59dc072255		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6764 5052 bytes
font_01_sfnt_off0000786e.bin
bf6851ac2db16272c88c68f27dbd2faa0cf6e49613ad036b5ff189e3cbae50bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x786E 19932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.