Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a6090a44d471031…

MALICIOUS

PDF

58.5 KB Created: 2020-09-01 15:47:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 47f7ccd91fd1e277956105fb516054f1 SHA-1: d4671bfa772d1e36f7c3b92723107cad33ddf57d SHA-256: 4a6090a44d47103134b01c7a9e94f39e97a5b6e52857f66904bf8626f25b323c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=login+form+bootstrap+templates'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links. The document body, though heavily obfuscated, contains references to login forms and the URL itself, suggesting a phishing or scam attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=login+form+bootstrap+templates
    • https://static.usrfiles.com/ugd/2c608b_4731880a3c104a6ea01d7e9d6b5f3b91.pdf
    • https://static.usrfiles.com/ugd/33ab24_32f900486d12435b9d9e11b402aab8c5.pdf
    • https://static.usrfiles.com/ugd/b8c837_aa2cf6b96ada42b1abdcefda0868898e.pdf
    • https://static.usrfiles.com/ugd/b8c837_20de3a8b3a7c429c996668ffc80d8e8f.pdf
    • https://static.usrfiles.com/ugd/544c7e_53987d3b85914175b13704c9aff7a9e1.pdf
    • https://static.usrfiles.com/ugd/d4579c_3f9b1aa900c6487886dc6a59c198deb3.pdf
    • https://static.usrfiles.com/ugd/6c032c_e17188aedaab4420827ebb8b942713d8.pdf
    • https://static.usrfiles.com/ugd/dcfb95_43f79c69feae4472823f2f1e24e3361e.pdf
    • https://cdn.shopify.com/s/files/1/0431/5152/4008/files/89318995367.pdf
    • https://cdn.shopify.com/s/files/1/0433/6395/8938/files/62927199289.pdf
    • https://static.usrfiles.com/ugd/ef7b09_b05e893af6fb4ea5a28fd03e7bc08ea0.pdf
    • https://static.usrfiles.com/ugd/353d00_aead66d119d44ebb9b13814f397d8fe3.pdf
    • https://static.usrfiles.com/ugd/ee6770_4b04d906dd14446d8dee22be51889fe7.pdf
    • https://static.usrfiles.com/ugd/89064d_5e671675e86c48c1bb7d7a0c9c732d5a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a4fc.bin
12c3cbef56dfb8aeae79f2b041251945be0982ea25eb8f039b1ede9aed047bc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4FC 5300 bytes
font_01_sfnt_off0000b6f3.bin
2e983158e19e5b5e01daf3ed7ebbe78ae6d6039b98d20bb30ef517e9f1777225		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB6F3 11672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.