Malicious PDF — malware analysis report

Static analysis result for SHA-256 44322a7391069a61…

MALICIOUS

PDF

53.6 KB Created: 2020-09-18 05:51:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 896078b60efc8b802929ac09773d185a SHA-1: ac320fc87352d97da1443abe249d13c16cbc2e75 SHA-256: 44322a7391069a61db9743a11afaaf5497f8d1dff6faddaf5167533f58d38ecc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=tipos+de+tecnologia+assistiva'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, including the aforementioned redirector and several benign Shopify links. The document body, though partially corrupted, contains the malicious URL and appears to be a lure related to assistive technology.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=tipos+de+tecnologia+assistiva
    • http://dikoxose.stevemager.com/uploads/1/3/0/7/130775258/7af015fe.pdf
    • http://files.dandavisonmusic.com/uploads/1/3/0/7/130775196/11ceb.pdf
    • http://files.siccoconstruction.com/uploads/1/3/0/7/130775978/juxexobenomarul_rafefuzazu_xerurero.pdf
    • http://files.forumbooksshop.com/uploads/1/3/1/3/131398176/dfc70bcc6b8e89b.pdf
    • http://mixumatir.resurrectionvineyard.com/uploads/1/3/1/4/131438672/4a398e.pdf
    • https://cdn.shopify.com/s/files/1/0433/0084/7781/files/brave_movie_theme_song.pdf
    • https://cdn.shopify.com/s/files/1/0430/3863/8241/files/41738726609.pdf
    • https://cdn.shopify.com/s/files/1/0429/3319/0823/files/mavebomukom.pdf
    • https://cdn.shopify.com/s/files/1/0484/1822/6344/files/wsu_master_gardener_manual.pdf
    • https://cdn.shopify.com/s/files/1/0434/1468/3813/files/wusamigujabewafar.pdf
    • https://cdn.shopify.com/s/files/1/0431/1308/7142/files/47809563751.pdf
    • https://cdn.shopify.com/s/files/1/0431/6128/8868/files/5955242955.pdf
    • https://cdn.shopify.com/s/files/1/0435/8720/7327/files/adobe_photoshop_6_tutorials_for_beginners.pdf
    • https://cdn.shopify.com/s/files/1/0433/3699/0885/files/rekufopinin.pdf
    • https://cdn.shopify.com/s/files/1/0433/2060/6885/files/aptoide_tv_on_android_tv.pdf
    • https://cdn.shopify.com/s/files/1/0430/5072/9634/files/4135363946.pdf
    • https://cdn.shopify.com/s/files/1/0433/1218/5502/files/bram_stoker_dracula_deutsch.pdf
    • https://cdn.shopify.com/s/files/1/0429/9587/5989/files/46522030137.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/jedajuzosefowi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006aff.bin
2f5677e45fbfa3533177553719ebad731a5090ca71c6a835f31e35c19552f224		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AFF 4944 bytes
font_01_sfnt_off00007be2.bin
07ec561eac4b12259779d0c58fb03f3510b6f88c463c2f5ae7448be02425d298		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BE2 12500 bytes
font_02_sfnt_off0000a224.bin
8b535bd6787672ba9e8eee7f6b9c2f65f702889990da1de84beb78484d94bdf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA224 16952 bytes
font_03_sfnt_off0000b8c2.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB8C2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.