Malicious PDF — malware analysis report

Static analysis result for SHA-256 81afecf477c19159…

MALICIOUS

PDF

39.8 KB Created: 2020-08-19 04:18:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2afb7cc2b01ebc843beb3c9acb1b10d9 SHA-1: 2aa1795051f07b0a213f1e1ec994eddadc1262f4 SHA-256: 81afecf477c19159cf1cec94cc167e83ed9d9afd5c1787af2ae305046c3d19f4
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, including one to a known malicious redirector at 'ttraff.com'. The document body text and heuristic firings indicate a lure related to invoices or payments, designed to trick the user into clicking the malicious link. No scripts were extracted, but the PDF structure and embedded links strongly suggest a phishing or redirection attack.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=fix+inaccurate+credit+report
    • http://dorotowi.primalpracticemt.com/uploads/1/3/0/7/130739297/gakaxoxa-wenevizujavax-jitagamef-sivazapup.pdf
    • http://files.adamcares.com/uploads/1/3/1/3/131383283/zetejesidixobe.pdf
    • http://files.omanroadshow.com/uploads/1/3/0/7/130776841/kasulojemuv.pdf
    • https://cdn.shopify.com/s/files/1/0429/6074/8695/files/xarajeladovozilo.pdf
    • https://cdn.shopify.com/s/files/1/0430/3316/5986/files/78751589058.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/93840192799.pdf
    • https://cdn.shopify.com/s/files/1/0431/8468/5224/files/vodka_lagake_song_ringtone.pdf
    • https://cdn.shopify.com/s/files/1/0431/4988/5606/files/51960780365.pdf
    • https://cdn.shopify.com/s/files/1/0428/7240/6179/files/42929357112.pdf
    • https://cdn.shopify.com/s/files/1/0431/6269/7894/files/green_lantern_blackest_night.pdf
    • https://cdn.shopify.com/s/files/1/0433/4921/3349/files/discord_all_text_modifiers.pdf
    • https://cdn.shopify.com/s/files/1/0430/9195/1769/files/pigodabazibinijatixajisef.pdf
    • https://cdn.shopify.com/s/files/1/0439/2416/0667/files/xowupivibudabewun.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f41.bin
62d1630cabcb37161dc98e429b082da3c33d4e03136d197a152aa491362e4f7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F41 4880 bytes
font_01_sfnt_off00006fde.bin
28bce3726f639c7a75f04d7c186413c50db294611f6eb30ba02958e0281edb68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FDE 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.