Malicious PDF — malware analysis report

Static analysis result for SHA-256 51c6e85395877e3a…

MALICIOUS

PDF

62.0 KB Created: 2020-08-18 23:20:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0d8b302013716b078054327572e6af12 SHA-1: e930add50de8c06ec65a92c828be6eebf9f4bf2f SHA-256: 51c6e85395877e3a093b233e77828b9a78e984cd798eea4eb239db4612993189
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link and a large number of external PDF links, suggesting a link farm or redirection tactic. The presence of a 'download button' lure and a 'browser extension installation lure' indicates a social engineering attempt to trick the user into clicking the malicious link. The primary malicious URL identified is ttraff.cc, which is known for redirecting to malicious content.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=bilibili+video+er+firefox
    • http://files.fourstatesymphonicwinds.org/uploads/1/3/1/4/131437249/divozes.pdf
    • https://cdn.shopify.com/s/files/1/0434/3490/1660/files/amplitude_shift_keying_using_matlab.pdf
    • https://cdn.shopify.com/s/files/1/0431/6646/6216/files/noradaninagevilivexi.pdf
    • https://cdn.shopify.com/s/files/1/0438/7936/6811/files/cantares_mexicanos.pdf
    • https://cdn.shopify.com/s/files/1/0429/5491/6003/files/aplasia_medular_tratamiento.pdf
    • https://cdn.shopify.com/s/files/1/0433/7080/7461/files/jenkintown_pa_police_reports.pdf
    • https://cdn.shopify.com/s/files/1/0438/1186/4738/files/schengen_visa_application_form_belgium.pdf
    • https://cdn.shopify.com/s/files/1/0435/8511/0177/files/romamesuxelufidikusi.pdf
    • https://cdn.shopify.com/s/files/1/0431/5047/5413/files/fowekakanavifesaduterafaj.pdf
    • https://cdn.shopify.com/s/files/1/0431/7547/7407/files/juzubaxasul.pdf
    • https://cdn.shopify.com/s/files/1/0433/4374/1083/files/xovegebiwukenupe.pdf
    • https://cdn.shopify.com/s/files/1/0432/3019/9966/files/lobomega.pdf
    • https://cdn.shopify.com/s/files/1/0434/5731/4983/files/23058595546.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006738.bin
3c1499defb01d70bb2cd1a99f2187e9b55a53790071b73e60527571891b9895c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6738 6832 bytes
font_01_sfnt_off00007857.bin
355ab153bf456b7161bb8dbeba476e40912120023119b1c2a3f03542a4f06dc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7857 4368 bytes
font_02_sfnt_off000087b1.bin
7ccf016a619d4fb8833491ab6dee1716b784cd647c00ca59d72f71eb9a44ccb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87B1 4432 bytes
font_03_sfnt_off000096c4.bin
84daf345e21b08075a6e329eeacb0a13a0447ddcc3efc64e98a9a4ab9c6a9d9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96C4 1936 bytes
font_04_sfnt_off0000a005.bin
f0f4d9558aed14425c514edbe237aac969bfbe9bbbcac213e4dbac91eb6666df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA005 10564 bytes
font_05_sfnt_off0000c464.bin
5663d8578250f824917609d3eb76e3efe1318610afd7b77be9e2258255c4b957		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC464 16296 bytes
font_06_sfnt_off0000d9e0.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9E0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.