Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bc3a022fd549891…

MALICIOUS

PDF

70.4 KB Created: 2020-08-29 01:23:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6547444790fb0d4fa2e5ebc922419f5c SHA-1: 89a30977eaa811fc84bde969ae46da13b91a9e02 SHA-256: 4bc3a022fd549891d9e658b41a8d25637bb6a398d02ff042a675e9e5209fd969
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is likely used to host phishing content or distribute malware. The document body, though heavily obfuscated, contains the URL and appears to be a lure related to a 'brom error'. The presence of a large number of external PDF links also suggests a link farm or SEO poisoning tactic to increase visibility. The heuristic 'SE_CALLBACK_LURE' further suggests a social engineering pretext, possibly related to fake billing or subscription issues.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=brom+error+s_ft_format_fail%2528+4010+so
    • https://static.usrfiles.com/ugd/b8c837_114e5d7d0dcc4541a4bc9ba8b55104f5.pdf
    • https://static.usrfiles.com/ugd/b8c837_faef296725b646e9883756a4ebd6396b.pdf
    • https://static.usrfiles.com/ugd/b8c837_4263e917e5ab430bbce7e8548f6d2abe.pdf
    • https://static.usrfiles.com/ugd/b8c837_6eb42687800c443eb52a2112910756ff.pdf
    • https://static.usrfiles.com/ugd/b8c837_4dd1d581fa7e47719c9a1f79b245599e.pdf
    • https://cdn.shopify.com/s/files/1/0461/7702/6201/files/25340393245.pdf
    • https://cdn.shopify.com/s/files/1/0433/8515/9845/files/faked.pdf
    • https://static.usrfiles.com/ugd/b8c837_6b11f2decaa8423fad9a730fd06b4300.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ddb9238b4a44bd2b891773f8756251b.pdf
    • https://static.usrfiles.com/ugd/b8c837_d75d49960f9c47feb215f5ad939edd75.pdf
    • https://static.usrfiles.com/ugd/b8c837_c76a66380c9f4b50990411721f5d42fe.pdf
    • https://static.usrfiles.com/ugd/b8c837_8b2e0677ffdc434289e2fae52a9c2527.pdf
    • https://static.usrfiles.com/ugd/b8c837_60662604c94b423e92e0442c2ad2d8d0.pdf
    • https://static.usrfiles.com/ugd/b8c837_ad6c75197fe849a4a8c39df611127de6.pdf
    • https://static.usrfiles.com/ugd/b8c837_b0aabbc553d042b99877955f06c725cc.pdf
    • https://static.usrfiles.com/ugd/b8c837_9bc31f4d6b524514a431ef7b2747371e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a8a2.bin
0faa66b7cf7ba28cea6bb54e42dee0e7791e821d473161086fd2cf83989b3566		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8A2 5036 bytes
font_01_sfnt_off0000b9d6.bin
bb34ea7c9a88afab9dd01446ca9ff7ed90c0abeae0c657589d35dd03f56a46cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9D6 14788 bytes
font_02_sfnt_off0000e924.bin
c9557d91917e40dbb2ce09b7ef560a04a9a832ffe2ebcac6b50408a58351272e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE924 16092 bytes
font_03_sfnt_off0000fdec.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDEC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.