Malicious PDF — malware analysis report

Static analysis result for SHA-256 43da86e48d5cbee2…

MALICIOUS

PDF

49.4 KB Created: 2020-08-15 10:03:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79fb053d3f068c8eba377464125218d2 SHA-1: 42e37aa29cdb66abf23119d0e1b0d9637f3dc368 SHA-256: 43da86e48d5cbee247d539543184d3e2369f0299fe6a660140168edf19ab04f0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a redirector service (ttraff.com) known to host malicious content. The document body, though heavily obfuscated, contains a reference to the same redirector URL. The heuristic firings indicate that the PDF is designed as a link farm, likely to distribute malware or phish for credentials.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=sqlite%20php%20tutorial%20pdf
    • http://files.fossilfreepcusablog.org/uploads/1/3/1/0/131069781/wowenuvuwutebi-topakikebojoxul-mawib.pdf
    • http://files.rolfkrahnert.com/uploads/1/3/2/7/132741397/tukij-tikexen-xokejugemir-gusuxelep.pdf
    • http://files.safehand.org/uploads/1/3/0/7/130775292/715f747bda4b96c.pdf
    • http://files.lovebodywisdom.com/uploads/1/3/2/6/132681743/f0796f325aaf.pdf
    • https://cdn.shopify.com/s/files/1/0431/7688/6431/files/60789958265.pdf
    • https://cdn.shopify.com/s/files/1/0431/4644/4960/files/white_sewing_machine_model_1505_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/4681/3344/files/70435701691.pdf
    • https://cdn.shopify.com/s/files/1/0435/3504/0664/files/gazilivif.pdf
    • https://cdn.shopify.com/s/files/1/0447/8540/2013/files/self_declaration_in_prescribed_format_refer_annexure_e1_hssc.pdf
    • https://cdn.shopify.com/s/files/1/0430/7140/6237/files/jakiti.pdf
    • https://cdn.shopify.com/s/files/1/0429/8535/7463/files/rujerijawe.pdf
    • https://cdn.shopify.com/s/files/1/0431/7249/5519/files/gixozew.pdf
    • https://cdn.shopify.com/s/files/1/0433/9941/3910/files/anesthsie_tronculaire_dentaire.pdf
    • https://cdn.shopify.com/s/files/1/0428/9753/9231/files/automobile_engineering_interview_questions_download.pdf
    • https://cdn.shopify.com/s/files/1/0439/9936/3222/files/xogojida.pdf
    • https://cdn.shopify.com/s/files/1/0431/0522/2813/files/40630095100.pdf
    • https://cdn.shopify.com/s/files/1/0436/2895/3763/files/calendrier_2020_tunisie.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000077b3.bin
644f1257894d47b7616fd139f50d014d291cdcd30f4e81e8438dc194dacddf13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77B3 5180 bytes
font_01_sfnt_off0000894f.bin
9bd4347fbfdc8bad110a50f7bfac8ef40fc5d76b8b67b11a7fd726b1695c1612		 pdf-font-stream PDF embedded font (sfnt) at offset 0x894F 15304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.