Malicious PDF — malware analysis report

Static analysis result for SHA-256 802c9c6d75267965…

MALICIOUS

PDF

53.9 KB Created: 2020-10-17 09:59:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ef26d5eda770150c1e6513f831c8848 SHA-1: a56fc989fdcb930d0860ff525305cbca222025b3 SHA-256: 802c9c6d75267965c1ff8525df61a9a0da110bbf585c0dcc2dc48d62ea9bdedd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a link farm designed to redirect users to malicious infrastructure, disguised as search results for popular software. The primary malicious URL is ttraff.link, which is known to host redirectors. The document body also contains the malicious URL and other embedded URLs, reinforcing the lure. The presence of multiple PDF links suggests a SEO poisoning or link farm attack pattern.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/123?keyword=swiftkey+apk+pro+download
    • https://cdn-cms.f-static.net/uploads/4369162/normal_5f89cbabf2c1a.pdf
    • https://cdn-cms.f-static.net/uploads/4367005/normal_5f873298dcc0c.pdf
    • https://cdn-cms.f-static.net/uploads/4365562/normal_5f8720c9d2050.pdf
    • https://jopalezaleloloj.weebly.com/uploads/1/3/1/3/131380469/momidovalanik_tonagorodavepi_zipadeva.pdf
    • https://nudojafobedem.weebly.com/uploads/1/3/1/3/131379550/sulifip_bimewu_wevobami_fivixibileso.pdf
    • https://sixapinipuso.weebly.com/uploads/1/3/1/3/131384402/638b16b254c.pdf
    • https://zimiduninu.weebly.com/uploads/1/3/1/6/131637103/2120396.pdf
    • https://boguvetasitob.weebly.com/uploads/1/3/1/3/131380850/moxemipuf.pdf
    • https://cdn-cms.f-static.net/uploads/4368954/normal_5f8a4fee96b28.pdf
    • https://cdn-cms.f-static.net/uploads/4371508/normal_5f8a5ebb9c8da.pdf
    • https://miremewokar.weebly.com/uploads/1/3/0/7/130738658/wotuga.pdf
    • https://rakamukomegu.weebly.com/uploads/1/3/2/6/132681656/ruzevemibuwo-rugezigamivo-jikujiviruxe-suxubamitu.pdf
    • https://xazapadikud.weebly.com/uploads/1/3/1/8/131871762/fubumimig.pdf
    • https://tipefejiri.weebly.com/uploads/1/3/0/9/130969755/punadax-kazugokov.pdf
    • https://uploads.strikinglycdn.com/files/37d399c2-9219-4a7f-bc19-31068c16f379/13317739467.pdf
    • https://uploads.strikinglycdn.com/files/596ed18b-bcdf-4b2a-9e9d-2e2d2623c9cd/67332369875.pdf
    • https://uploads.strikinglycdn.com/files/0ddc0763-6e0a-45cd-910a-cd3d5f228bdf/76297019514.pdf
    • https://uploads.strikinglycdn.com/files/5a919843-1479-4071-8bfc-6a041ef7bb99/wezid.pdf
    • https://uploads.strikinglycdn.com/files/1e965ffc-7f04-4bb6-8c61-9ae235579285/nordictrack_elite_4.4_upright_cycle.pdf
    • https://cdn.shopify.com/s/files/1/0433/3318/9800/files/wafelafinasu.pdf
    • https://cdn.shopify.com/s/files/1/0484/8254/9922/files/41995608207.pdf
    • https://cdn.shopify.com/s/files/1/0434/0314/9479/files/annabac_terminale_s.pdf
    • https://cdn.shopify.com/s/files/1/0495/5255/6184/files/makalah_pupuk_kompos.pdf
    • https://cdn.shopify.com/s/files/1/0438/1684/5469/files/berapabupupatisivavaz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007430.bin
bbfdcf0450c0191dabaf14c6b645e678700508e5ea352f499d922181ff375116		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7430 5216 bytes
font_01_sfnt_off0000860d.bin
21a7146106e2ad29a4dcc6aa55cee169416400570e2b3d493b6d071cb256f2f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x860D 1936 bytes
font_02_sfnt_off00008f4f.bin
61dc4e940c8f0d7c6b7ffcf4b67e60d3b3c343ae3fc47edc5a5e50af36e1b186		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F4F 10516 bytes
font_03_sfnt_off0000b365.bin
0a2507360a40dd56b84230664db2b3a2689cb34b0aa642599c8245950ba374cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB365 16304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.