Malicious PDF — malware analysis report

Static analysis result for SHA-256 4400687f453032e9…

MALICIOUS

PDF

40.8 KB Created: 2020-09-02 09:13:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c9522537da2aa7e718b3bec98a604825 SHA-1: 1a7336093dc2892f46ee49584d1693ea37845d72 SHA-256: 4400687f453032e95ced2dc82bcade9314324c16772219d1410fe27f4cab25fb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com', which is used in a lure for Google Authenticator setup. This indicates a credential phishing attempt. The document body, though heavily obfuscated, contains the same URL and text related to 'Google authenticator for windows desktop', reinforcing the phishing lure. The presence of numerous other PDF links, while mostly benign, contributes to a link farm pattern, potentially for SEO manipulation to improve the visibility of the malicious lure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=google+authenticator+for+windows+desktop
    • https://static.usrfiles.com/ugd/b8c837_20bbe3f36a484a43a8c1ce7aeb723816.pdf
    • https://static.usrfiles.com/ugd/74e9cf_c456c7f0165647c8aa92cc02dca86013.pdf
    • https://static.usrfiles.com/ugd/b8c837_685805a2e6f94bc3a55f425cf588e642.pdf
    • https://static.usrfiles.com/ugd/9c0842_0077e4fc2ae840a69972cf7f934b2bae.pdf
    • https://cdn.shopify.com/s/files/1/0433/0881/0398/files/dewurusudiditet.pdf
    • https://cdn.shopify.com/s/files/1/0432/0329/7437/files/tufapiroboponagipefafofe.pdf
    • https://cdn.shopify.com/s/files/1/0430/3477/1610/files/bearing_types_and_uses.pdf
    • https://cdn.shopify.com/s/files/1/0433/1565/8920/files/vajotowesutemodafuvafoji.pdf
    • https://cdn.shopify.com/s/files/1/0466/7142/9797/files/44551550930.pdf
    • https://cdn.shopify.com/s/files/1/0437/4154/4600/files/xuzus.pdf
    • https://cdn.shopify.com/s/files/1/0433/8450/4474/files/99505333384.pdf
    • https://cdn.shopify.com/s/files/1/0433/7539/4977/files/11378888730.pdf
    • https://cdn.shopify.com/s/files/1/0438/9027/8568/files/budget_spreadsheet_apple.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006052.bin
4df79219d74d134fa144e9bad864300a21069ffb4e6e06fb1039bfb84d2bb8fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6052 5604 bytes
font_01_sfnt_off00007378.bin
e43aa01a43242aa91df4be7e2bd32a5378555fa23812eb5fe9c83d41ca712c8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7378 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.