Malicious PDF — malware analysis report

Static analysis result for SHA-256 832c66ab6b456498…

MALICIOUS

PDF

44.1 KB Created: 2020-09-18 08:58:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88639a81da8bb3f39d79f4e9fd9b60d4 SHA-1: 8a9eaaca6ab4ed931a3dcb72ccc8ef137e75aa4e SHA-256: 832c66ab6b45649810fceea084e1db6b603fe494ce88e4e01f905a346b8821e5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to domains associated with link farms. One prominent URL, "https://ttraff.club/wix?keyword=windows+check+port+is+open", is identified as a malicious redirector. The document body, though partially corrupted, contains text related to checking Windows ports, suggesting a lure to trick users into clicking the malicious links. The primary intent appears to be directing users to malicious infrastructure for further exploitation or phishing.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=windows+check+port+is+open
    • http://files.jara4you.com/uploads/1/3/0/7/130740141/jubumu.pdf
    • http://files.byronbayhealthycommunication.com/uploads/1/3/0/8/130813362/fotolofiwibalav-zopuzana-sazitupuwimasal-wananagomikela.pdf
    • http://giguwutaw.emperatrice-maltese.co.uk/uploads/1/3/1/0/131070420/nowituge.pdf
    • http://files.halcyonimages.com.au/uploads/1/3/1/4/131453421/3572532.pdf
    • http://bunebaxi.jacquiconsults.com/uploads/1/3/1/1/131163962/5ac476d35d61.pdf
    • http://kikemi.bsmcmilehighchapter5280.com/uploads/1/3/1/3/131381130/wisabul.pdf
    • http://files.caritas-academy.com/uploads/1/3/1/4/131407424/4308411.pdf
    • http://files.olgatarasova.com/uploads/1/3/0/7/130775434/pupolox-levafir.pdf
    • http://satitaf.warwickkentphotos.com/uploads/1/3/1/1/131164157/4271505.pdf
    • https://650ef2cd-702c-427b-b68a-533551a80be7.filesusr.com/ugd/95089d_0866831eaecf403d977157efb54a4fb4.pdf?index=true
    • https://8ec53d9d-e760-4bda-b23e-d3b1199433a4.filesusr.com/ugd/008e52_1e7ea1e0224746809889b59f3e5aa932.pdf?index=true
    • https://8e4d43c9-9900-411f-9bbd-3f17a0961484.filesusr.com/ugd/e4d7df_b457e3162c644b8389a7d44e51e01966.pdf?index=true
    • https://52ad9e7f-e253-4cc0-98fa-743a454f6f0a.filesusr.com/ugd/a4c1fa_a1d43eb453154315a7acdcf5e8ac3418.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fa4.bin
6f9300f5a22364959e3fd2893f0673fafe0476dd2c0e7a353786a32cbc0b4779		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FA4 5088 bytes
font_01_sfnt_off00008109.bin
2f1d4541d9133b5fa104722528c0f2886066ca576294d1394aa9845edaa75493		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8109 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.