Malicious PDF — malware analysis report

Static analysis result for SHA-256 57eba748b74434b0…

MALICIOUS

PDF

49.1 KB Created: 2020-08-03 05:57:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 655e5ca1dd48528a319569b02a38b9c0 SHA-1: f095158739f6cf689d5c2fb33ef36268fdebc9fd SHA-256: 57eba748b74434b06e4b26ad9146e7ff7fbb373851b20df9b6be4e9ec8b92352
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.com, which is designed to lead users to further malicious content. The document body, though heavily obfuscated, contains the same URL. The presence of a link farm heuristic indicates the document is designed to host numerous external links, likely for SEO poisoning or to distribute malicious payloads. No scripts were extracted, but the primary attack vector is the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=u1p-+7+battery
    • http://files.globalwithmurphy.com/uploads/1/3/1/4/131437924/5020a6.pdf
    • http://files.marisatejeda.com/uploads/1/3/2/7/132712315/7010971.pdf
    • http://files.littlelotuscafe.com/uploads/1/3/0/7/130740617/jotusib.pdf
    • http://files.ajaxfencingclub.com/uploads/1/3/0/8/130874408/3ce7aff.pdf
    • http://files.jbhealth.co.uk/uploads/1/3/2/7/132740723/jakufol.pdf
    • https://cdn.shopify.com/s/files/1/0431/9461/3924/files/jemenuzatarubuxudavodufap.pdf
    • https://cdn.shopify.com/s/files/1/0436/6827/5353/files/23522999357.pdf
    • https://cdn.shopify.com/s/files/1/0434/4777/9478/files/potassium_bromide_msds_pdf.pdf
    • https://cdn.shopify.com/s/files/1/0430/1750/2869/files/pawawixumenibafixasanop.pdf
    • https://cdn.shopify.com/s/files/1/0441/2270/1976/files/67006438790.pdf
    • https://cdn.shopify.com/s/files/1/0428/5209/0022/files/todolagufetasusumonew.pdf
    • https://cdn.shopify.com/s/files/1/0435/2724/1887/files/38110995144.pdf
    • https://cdn.shopify.com/s/files/1/0436/8374/1849/files/75353438677.pdf
    • https://cdn.shopify.com/s/files/1/0431/7249/5524/files/81903122932.pdf
    • https://cdn.shopify.com/s/files/1/0434/6616/2341/files/trane_touchscreen_thermostat_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/2915/8295/files/25587174853.pdf
    • https://cdn.shopify.com/s/files/1/0437/8850/1143/files/fatotopewux.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000081bc.bin
719ba6417e86314ff9fae52998a5f0b205a506f15e3c25e6acae63de8f531824		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81BC 5000 bytes
font_01_sfnt_off000092e6.bin
d0ca64a546ef9cd916088dd0f444e18d1d9b3ac3aea2482cb1f63967dfa5259d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92E6 10648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.