Malicious PDF — malware analysis report

Static analysis result for SHA-256 5114fd2dcea2f343…

MALICIOUS

PDF

36.1 KB Created: 2020-09-16 10:42:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 228b864a4104767b97a0dd966abadf42 SHA-1: 5115bb095376954a17144013c9da2be972a0ee32 SHA-256: 5114fd2dcea2f3439b792b750c8faebb345ddd80d1a075fd8ed576683dfb5597
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains multiple embedded links, including a redirector to 'ttraff.me' and a large number of links to PDF files hosted on various domains. This indicates a link farm designed to distribute malicious content or conduct phishing. The presence of a 'Download Button' heuristic further supports the lure-based attack pattern. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/pify?keyword=solving+scale+drawing+problems
    • http://zanunali.lofgrenmusicstudio.com/uploads/1/3/0/8/130814411/2d8fa4a41d17.pdf
    • http://gadin.caroltalkov.com/uploads/1/3/2/7/132741100/2863.pdf
    • http://waruf.senbukankarate.com/uploads/1/3/1/4/131408439/benuzabajog.pdf
    • http://files.cypbb.com/uploads/1/3/0/7/130775143/a9dc6f9a07f575.pdf
    • http://kagipok.westvillageclothing.com/uploads/1/3/1/3/131383548/bibunawizar.pdf
    • http://files.mindtomedia.net/uploads/1/3/1/4/131408854/dotepavazatizo.pdf
    • http://files.suntreehealingarts.com/uploads/1/3/2/7/132740270/zipawe.pdf
    • http://files.waypointwes.org/uploads/1/3/2/8/132815298/jusumaxilibado.pdf
    • http://tuzamubid.haaheohc.com/uploads/1/3/1/3/131384284/tolopixelimo.pdf
    • https://static.usrfiles.com/ugd/aa14a9_70b9f9ca184d41f28afecd23e7f38063.pdf
    • https://static.usrfiles.com/ugd/c7ef1a_0042a89d8ef54405b2727e707a29c75c.pdf
    • https://static.usrfiles.com/ugd/3e87bf_91993ae0fa25466c8ff095fa72248f68.pdf
    • https://static.usrfiles.com/ugd/a4d998_dc23fce227094565a83edbd8518fe1fd.pdf
    • https://static.usrfiles.com/ugd/b85eb0_5fd3a8db3a7a4bc48a99a28754906755.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e41.bin
88cd669580f8209574fa693666629f163512676e2b589780b4fac38683eebc62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E41 5788 bytes
font_01_sfnt_off000061f8.bin
1162fca2b70f906d3d1780541cfb30a4fe050bdbb52967ac1674d746859cf690		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61F8 10048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.