Malicious PDF — malware analysis report

Static analysis result for SHA-256 571d103e42ab51f5…

MALICIOUS

PDF

40.6 KB Created: 2020-09-01 10:10:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72fb043f23d1fcd649523f78de4ec652 SHA-1: 7c4907b87d8fc72fcac65246de2afdbb3818e474 SHA-256: 571d103e42ab51f57e0c5e53c272ca2f3d48efce064fb8ad246d1d219408dee6
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 Command and Scripting Interpreter: PowerShell

The PDF document contains a lure for an Australian visitor visa application, which is a common pretext for phishing. It embeds numerous links, with one identified as a malicious redirector at 'ttraff.com'. The document also contains a mass external PDF link farm, likely for SEO poisoning or traffic generation. No scripts were extracted, but the presence of a malicious redirector and the phishing lure strongly suggest the intent is to lead the user to a malicious site for credential harvesting or malware delivery.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=application+form+for+australia+visitor+visa
    • https://cdn.shopify.com/s/files/1/0431/3631/9645/files/70228048909.pdf
    • https://cdn.shopify.com/s/files/1/0447/9765/7248/files/butcher_shop_business_plan.pdf
    • https://cdn.shopify.com/s/files/1/0435/3123/9588/files/23886558418.pdf
    • https://cdn.shopify.com/s/files/1/0461/7538/7811/files/56534861988.pdf
    • https://cdn.shopify.com/s/files/1/0437/8820/6238/files/luxokutexezira.pdf
    • https://cdn.shopify.com/s/files/1/0432/6447/5304/files/anaerobic_jar.pdf
    • https://cdn.shopify.com/s/files/1/0431/2760/3354/files/46921996101.pdf
    • https://cdn.shopify.com/s/files/1/0435/5486/5320/files/55991134396.pdf
    • https://cdn.shopify.com/s/files/1/0440/2819/9062/files/bivukaxexokikuximu.pdf
    • https://static.usrfiles.com/ugd/4b874d_f736258fa8024b77a120ba72b3ca40e2.pdf
    • https://static.usrfiles.com/ugd/b8c837_d03e226abbb2461e832317b20ef606b8.pdf
    • https://static.usrfiles.com/ugd/3f0e57_56a6bcb82d08489b8676bad78a63cdf2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006121.bin
e1cbfb8c46f2e0e5e7483ca4cf4de1cea9956cb628d4364e75a2c5589b982a59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6121 5208 bytes
font_01_sfnt_off000072cf.bin
aca618aa0cad62d70a115200ccf8a7bfcd347dad682d5fb44c7d3c240173d64e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72CF 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.