Malicious PDF — malware analysis report

Static analysis result for SHA-256 431bb0c6cb5101f6…

MALICIOUS

PDF

42.0 KB Created: 2020-09-05 00:03:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93a2ab438df85e2ca623edeb94f08854 SHA-1: 0e0934961e36fcf347a9b5fe75beeb112684281f SHA-256: 431bb0c6cb5101f6b498347ae94b9543503eed2af7509a8359bb744dcef693b5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a mass of external links, including a critical redirector link to 'https://ttraff.ru/wix?keyword=chomp+sms+latest+apk'. This suggests a phishing or scam attempt, masquerading as a download for an Android application. The document body text and embedded URLs reinforce this lure. No scripts were extracted, limiting further analysis of payload delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=chomp+sms+latest+apk
    • https://static.usrfiles.com/ugd/a2e20a_feb3413876824ca49127a07d81d42e86.pdf
    • https://static.usrfiles.com/ugd/289c5e_8cf011b647704901b6306e49beb06aef.pdf
    • https://static.usrfiles.com/ugd/f1c748_a5cdb8cf4378494b81d176f57a65035a.pdf
    • https://static.usrfiles.com/ugd/3e0cb9_181221e48bdc46aa8a8ae75dabfa6079.pdf
    • https://static.usrfiles.com/ugd/4542d9_5380b1abb5f04e3fac01aec1a4e0e616.pdf
    • https://static.usrfiles.com/ugd/b8c837_b4b03884629341b3828cbef30e5734d5.pdf
    • https://static.usrfiles.com/ugd/5af86b_b1e781f618aa4860828997a0f3c5f1c8.pdf
    • https://static.usrfiles.com/ugd/b8c837_d2bc83b541424a16a5283b75bd9271d1.pdf
    • https://static.usrfiles.com/ugd/b8c837_9152adba514f4e8fa39da77a059d4bd7.pdf
    • https://cdn.shopify.com/s/files/1/0433/3246/8904/files/21493735526.pdf
    • https://cdn.shopify.com/s/files/1/0462/3902/3253/files/hitman_agent_47_game_pc.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nofalefupipalivudekim.pdf
    • https://cdn.shopify.com/s/files/1/0459/5318/7999/files/coombeshead_academy_ofsted_report_2019.pdf
    • https://cdn.shopify.com/s/files/1/0440/8187/3048/files/8368144262.pdf
    • https://static.usrfiles.com/ugd/95bb70_9797d8a3607942f9a665df2551d17210.pdf
    • https://static.usrfiles.com/ugd/963627_c11351df9aa44bc89308d6acc33cc887.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000679c.bin
c75d2954bfe5cc3020a436dab53e2075a632729a0f64ac0f1f56a8c245a02010		 pdf-font-stream PDF embedded font (sfnt) at offset 0x679C 4932 bytes
font_01_sfnt_off00007834.bin
30260cc709eaa0832a5c3764131ac619538340c1fcbddb019533a69d92214068		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7834 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.