Malicious PDF — malware analysis report

Static analysis result for SHA-256 55527d6093b201a8…

MALICIOUS

PDF

39.6 KB Created: 2020-09-04 22:31:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 678991304240a2d18151c28b746664dc SHA-1: 2697ea53a9723f520d1e0f398c1bff6a8752c02f SHA-256: 55527d6093b201a8febf8d099699de9cbc4f6c0c0df39b374e0f0151b700a1af
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, which points to 'ttraff.me'. The document body, though heavily obfuscated, contains text related to '2 column cash book excel template' and the malicious URL, suggesting a lure to entice users to click the link. The file also contains a heuristic for a PDF link farm, indicating a broader campaign to distribute links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=2+column+cash+book+excel+template
    • https://cdn.shopify.com/s/files/1/0438/4414/1218/files/classroom_assessment_for_student_learning_stiggins.pdf
    • https://cdn.shopify.com/s/files/1/0429/6366/5062/files/ergonomie_poste_de_travail_informatique.pdf
    • https://cdn.shopify.com/s/files/1/0430/5112/2842/files/76051149486.pdf
    • https://cdn.shopify.com/s/files/1/0440/0549/0846/files/46031880254.pdf
    • https://cdn.shopify.com/s/files/1/0427/4126/8647/files/xaratunofejogirumejix.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/ace_academy_gate_test_series.pdf
    • https://cdn.shopify.com/s/files/1/0435/6567/8755/files/bokezex.pdf
    • https://cdn.shopify.com/s/files/1/0430/9935/7338/files/adventure_story_2_game_apk.pdf
    • https://static.usrfiles.com/ugd/de60da_8b277d3ac4c444ca80de23f3e105cefa.pdf
    • https://static.usrfiles.com/ugd/bcfc12_b51eab2f185247fea51242a5370c7b87.pdf
    • https://static.usrfiles.com/ugd/b8c837_79db1b3cedb34562867ac8531568f8aa.pdf
    • https://static.usrfiles.com/ugd/48d9a1_f014ebf50fbb4de192d89d46078d3a27.pdf
    • https://static.usrfiles.com/ugd/f4de5e_6ae036375d67422ab9804fb6dad924c1.pdf
    • https://static.usrfiles.com/ugd/b8c837_09c52b4e64284ac5b94ce0f5b0924789.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005cfb.bin
0967b351c850133e494d501a328debc884613279f599413feba53017dfacd800		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CFB 5388 bytes
font_01_sfnt_off00006f20.bin
d6f46be96ca429e0333fb8d9971f949d06479650edc0fe2b69acb46d4310e6a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F20 10080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.