Malicious PDF — malware analysis report

Static analysis result for SHA-256 83c90864e4afd4ff…

MALICIOUS

PDF

43.2 KB Created: 2020-08-31 00:50:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f2674022e95f3ceb662a555d93bd9e18 SHA-1: 223f3a43f41892564f458e3a3caa769c520c871e SHA-256: 83c90864e4afd4ff37e443aa0ccfeedfadc23f61fb413f74b3ef3962f9ac2c1e
130 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF file contains a link to a known malicious redirector, ttraff.com, disguised as a user manual. The document body, though heavily obfuscated, contains the URL and appears to be a lure. The presence of a link farm heuristic further suggests an attempt to distribute malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=empava+wall+oven+user+manual
    • https://static.usrfiles.com/ugd/9e14ca_35e1a365596c4ea989ff69017dc1245b.pdf
    • https://static.usrfiles.com/ugd/b8c837_0e273e18c1004126acd85c1c5cee17c8.pdf
    • https://static.usrfiles.com/ugd/ac72e0_2b94bf2959914c95bdbd1107e1972316.pdf
    • https://static.usrfiles.com/ugd/d63aaf_e508441ee23e40f380d34aa3456b9587.pdf
    • https://static.usrfiles.com/ugd/50c35f_8b0cd9ef33464f40bffb754b0436a3fb.pdf
    • https://cdn.shopify.com/s/files/1/0429/4295/5676/files/velegegogasixafuga.pdf
    • https://static.usrfiles.com/ugd/89363e_96fa3a0e0a444f56bc6d95622d855922.pdf
    • https://static.usrfiles.com/ugd/361045_a91728eabb164ad1849b96804094ad92.pdf
    • https://static.usrfiles.com/ugd/b8c837_4346a07626364f4ea31edb267f41de55.pdf
    • https://cdn.shopify.com/s/files/1/0429/9682/6261/files/34404308950.pdf
    • https://cdn.shopify.com/s/files/1/0435/1482/2808/files/mr_heater_big_maxx_80000_btu_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/4244/7265/files/74641933023.pdf
    • https://cdn.shopify.com/s/files/1/0427/4041/6678/files/apollonius_rhodius_argonautica.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ff1.bin
194e7192dae47ef49c4ddc05ea92f4e122e9e7d24ac2e5674205eedab299246b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FF1 4828 bytes
font_01_sfnt_off00007042.bin
d1372f54dd6d62d052e071d742d37b9b3a30f2bd795db7e66fffc12bce3c6ac5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7042 9948 bytes
font_02_sfnt_off00009247.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9247 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.