Malicious PDF — malware analysis report

Static analysis result for SHA-256 5193c2cfab95cda4…

MALICIOUS

PDF

41.0 KB Created: 2020-09-07 19:20:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01e87ae0eb1e7dd4908fd179b5a3ae21 SHA-1: bd4f7138fe340255bf1a92aaeb63495d7894ae3d SHA-256: 5193c2cfab95cda48abb5434cdf10e23eb9fcabe6953cfb56ede090d687111ec
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, a common tactic for SEO link farms and phishing. One of these links, 'https://ttraff.com/wix?keyword=absence+form+mrs', is identified as a known malicious redirector. The presence of a visual download button further supports the lure to click on these links. The document body itself is heavily obfuscated and contains metadata indicating it was generated by wkhtmltopdf, suggesting it's not a legitimate document.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=absence+form+mrs
    • https://static.usrfiles.com/ugd/82e28d_da9c5f682d404ce38f098b1c09e0bf0d.pdf
    • https://static.usrfiles.com/ugd/b8c837_ba583d41c11a41e580bb52d87c529493.pdf
    • https://static.usrfiles.com/ugd/0dd040_17e516ec4aea434eaca95953f4e6ae0f.pdf
    • https://static.usrfiles.com/ugd/f55bec_266b02b600f8402ab6c4c67440dfc07d.pdf
    • https://static.usrfiles.com/ugd/3f4b99_308ba696dc50461fae5a23362a573236.pdf
    • https://static.usrfiles.com/ugd/aef5b7_fa46281eb9f7454eb92d72ec73330f95.pdf
    • https://static.usrfiles.com/ugd/bae363_909e292d98584752b1161b3683ed7c66.pdf
    • https://cdn.shopify.com/s/files/1/0440/9766/7224/files/salat_istikhara_in_urdu.pdf
    • https://cdn.shopify.com/s/files/1/0430/7533/8391/files/background_sound_for_ppt_free.pdf
    • https://cdn.shopify.com/s/files/1/0433/6926/7354/files/creature_3d_movie_mp4_song.pdf
    • https://cdn.shopify.com/s/files/1/0431/4093/9933/files/wekinufuposoma.pdf
    • https://cdn.shopify.com/s/files/1/0447/0548/0858/files/xudilijexifabum.pdf
    • https://cdn.shopify.com/s/files/1/0432/4986/0765/files/97789348682.pdf
    • https://cdn.shopify.com/s/files/1/0439/8222/5566/files/41784310968.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006352.bin
1cc431588c66b1969694adebb0535cd88558c6238260e56317908e55280c8534		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6352 4916 bytes
font_01_sfnt_off000073fb.bin
cd96f31addf17f5d03ccb043a8ef3840499b10e0626f0db849ee0adbf684be62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73FB 10464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.