Malicious PDF — malware analysis report

Static analysis result for SHA-256 448fdcb42b088794…

MALICIOUS

PDF

46.6 KB Created: 2020-09-03 20:22:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c07f7779b4ef0c0e29a2c6a89de2179 SHA-1: fb71349b1272b281b6b6143221b0054f579e6f09 SHA-256: 448fdcb42b088794b4f218f72a2330a6b4c3620d631590b28c25b18c91fb21b5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was identified as malicious due to containing a large number of external links, characteristic of a link farm. One of these links, https://ttraff.club/wix?keyword=birdland+weather+report+solos, is a known malicious redirector. The document body contains garbled text and a reference to the malicious URL, suggesting it's a lure to drive traffic to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=birdland+weather+report+solos
    • https://cdn.shopify.com/s/files/1/0463/5200/7325/files/2015_chevrolet_equinox_ltz_owners_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/0576/2974/files/ludamusofoxobofezatawi.pdf
    • https://cdn.shopify.com/s/files/1/0432/3019/9966/files/benim_hocam_tyt_tarih_soru_bankas.pdf
    • https://cdn.shopify.com/s/files/1/0438/5590/4918/files/mageweave_bandage_trainer_vanilla.pdf
    • https://cdn.shopify.com/s/files/1/0429/0792/6687/files/pomabakaxabodugeg.pdf
    • https://static.usrfiles.com/ugd/1813b3_537ce47cc28a4db2ae0e8cdf0fef9cf5.pdf
    • https://static.usrfiles.com/ugd/f65518_2eaf18ed041743c79452d99d825fe165.pdf
    • https://static.usrfiles.com/ugd/0779a3_cdcf318c648e41238346d354618a8573.pdf
    • https://static.usrfiles.com/ugd/73c254_95e075d720794afebf689358c16bb02a.pdf
    • https://static.usrfiles.com/ugd/a43ec6_41cef6b76b7741739465ea738b07b4a3.pdf
    • https://static.usrfiles.com/ugd/62e2c1_5af48401b9664d77a788306f4c69c61e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007964.bin
50cf6420fa846b8d6cd17193285a1d59761f6745e3d192398e0638234feb88fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7964 5188 bytes
font_01_sfnt_off00008b12.bin
74db7b82a1aad10e643d62f0d74f908fe4ac8aef20fa50ba8b410796ec8e96ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B12 10112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.