Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a10e7a719aefc04…

MALICIOUS

PDF

87.8 KB Created: 2020-09-10 18:47:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 76c64008d45f1e33020be39ffe0df518 SHA-1: 712ae2072222fbc832e0b80cbfd905098a7fbc8d SHA-256: 4a10e7a719aefc0498fcd6b7ae472a8389212aa9517d6b51512dcf700bb17fa2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.me/wix?keyword=force+install+apk+via+adb'. This URL is presented in a way that suggests a forced installation of an APK file, indicating a social engineering lure. The document also contains a large number of external PDF links, many of which point to benign content, but the primary malicious link is clear.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=force+install+apk+via+adb
    • https://static.usrfiles.com/ugd/856cea_5d6c0a214621451194efb1bcb7c2e9f4.pdf
    • https://static.usrfiles.com/ugd/1c8c1e_b942bb86d2094ad4a478db583072760b.pdf
    • https://static.usrfiles.com/ugd/b8c837_cd0df82da68746e39996f5a9de575e1d.pdf
    • https://static.usrfiles.com/ugd/21e6f2_d3f40d4bd8f14198b32fc9b3866ba500.pdf
    • https://static.usrfiles.com/ugd/2a2e94_52fbdf54dd004554b407d6b766bc3720.pdf
    • https://cdn.shopify.com/s/files/1/0437/7929/3338/files/gipufixalib.pdf
    • https://cdn.shopify.com/s/files/1/0429/2096/8358/files/61531454108.pdf
    • https://cdn.shopify.com/s/files/1/0431/1334/9273/files/89856034393.pdf
    • https://cdn.shopify.com/s/files/1/0429/9902/1717/files/21448349797.pdf
    • https://cdn.shopify.com/s/files/1/0432/8616/7702/files/91275585753.pdf
    • https://cdn.shopify.com/s/files/1/0433/9885/6871/files/asme_section_viii_division_1_radiography_acceptance_criteria.pdf
    • https://cdn.shopify.com/s/files/1/0435/5738/8439/files/am_coming_by_weasel_video.pdf
    • https://cdn.shopify.com/s/files/1/0432/3550/8387/files/evangelismo_infantil.pdf
    • https://cdn.shopify.com/s/files/1/0429/4184/1571/files/fixituvabo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001022b.bin
5ffd0a999fe85e24ccad5dbcb092df5caa31f9d8c16ea579b3e9500ab9d8ed07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1022B 3264 bytes
font_01_sfnt_off00010ded.bin
b944c19c615a455ecf089f5223d6676416c054c737c596a8b0db021c2dc0f1fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DED 5288 bytes
font_02_sfnt_off00011ffb.bin
9e677088df44cc00970b8784c16db47a2b4224857dc43223ac328b7c053ce64a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FFB 15936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.