Malicious PDF — malware analysis report

Static analysis result for SHA-256 4cdb9c95289dc26d…

MALICIOUS

PDF

49.6 KB Created: 2020-09-08 02:32:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c7dbee4e21c4f06adbc5872d7d8ca5c SHA-1: 8043190340ff9a751dae229a494334ace0694b3f SHA-256: 4cdb9c95289dc26dcc6b96c89003f93e66be635ea950fc246e93fd512f7ee8fd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.club/wix?keyword=test+de+temperamento+y+caracter+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded URLs, including one hosted on Shopify. The document body, though heavily obfuscated, contains the same malicious URL and references to 'wkhtmltopdf', suggesting it's a generated document used for malicious redirection. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=test+de+temperamento+y+caracter+pdf
    • https://cdn.shopify.com/s/files/1/0460/4048/1956/files/lixenoxaralo.pdf
    • https://cdn.shopify.com/s/files/1/0434/3804/7384/files/zufanisanawojuwez.pdf
    • https://cdn.shopify.com/s/files/1/0429/9672/7957/files/jokivexebugipajesetuxir.pdf
    • https://cdn.shopify.com/s/files/1/0438/0744/1053/files/windows_server_administrator_interview_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0429/5363/8044/files/medim.pdf
    • https://cdn.shopify.com/s/files/1/0433/6769/4490/files/adaptation_imdb_parents_guide.pdf
    • https://static.usrfiles.com/ugd/d775a9_e7098f7548954c5eae557164beefa0a3.pdf
    • https://static.usrfiles.com/ugd/0789d5_424165087f1a4f08b049656f97306cb6.pdf
    • https://static.usrfiles.com/ugd/851c7c_8991e20f812b476eb9c9a20ebb9e4402.pdf
    • https://static.usrfiles.com/ugd/15ebe2_fbf6ef0d1b764d5da0b92a78e281da16.pdf
    • https://static.usrfiles.com/ugd/c618e9_d5949192509a4704b2bdeed1ed3751ff.pdf
    • https://static.usrfiles.com/ugd/8716ab_83f9621e19f44e8badce245de25a33ca.pdf
    • https://static.usrfiles.com/ugd/fa32a6_d636288047f548258402b33b2fb6dcbb.pdf
    • https://static.usrfiles.com/ugd/b8c837_25286c4c53824c33bd323f6e63ff0e53.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008155.bin
b88ec9f6eda9894eaab0a875a60a613e8fa4ad747567043f648e99fbde1cd821		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8155 5320 bytes
font_01_sfnt_off0000935c.bin
e653f30de9816e3de07b16d7363db2526df1a00a4acf84fe3c407fe0e01eada2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x935C 11232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.