Malicious PDF — malware analysis report

Static analysis result for SHA-256 86da796b0bf3ff89…

MALICIOUS

PDF

32.7 KB Created: 2020-08-29 10:44:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83b7de9449623b80b8658636ea1a844b SHA-1: 79705eaed2a88ad4969585ab976297ba45c0da36 SHA-256: 86da796b0bf3ff894a53c54e843918aae62253b8b04dea0777385b5ab30d1afa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, presented as a manual, which are designed to redirect users to malicious infrastructure. The primary malicious URL identified is https://ttraff.cc/wix. This technique is commonly used for phishing or to distribute further malware. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=sub-zero+dual+refrigeration+system+650+manual
    • https://cdn.shopify.com/s/files/1/0431/0158/5570/files/4898595913.pdf
    • https://cdn.shopify.com/s/files/1/0461/9829/2643/files/ambushing_is_a_form_of.pdf
    • https://cdn.shopify.com/s/files/1/0428/1411/1903/files/74017315355.pdf
    • https://cdn.shopify.com/s/files/1/0432/1289/8461/files/discord_apk_all_versions.pdf
    • https://cdn.shopify.com/s/files/1/0429/6704/0154/files/44288373276.pdf
    • https://static.usrfiles.com/ugd/b8c837_dca248b2fdd34075aa563d43fe792528.pdf
    • https://static.usrfiles.com/ugd/b8c837_180bab1df0fc4d8e9ea8f9ab08d461e7.pdf
    • https://static.usrfiles.com/ugd/b8c837_b2a7b9e453ab42369fa6184c26b403f4.pdf
    • https://static.usrfiles.com/ugd/b8c837_50bab3f08c394066abee1ec8615017ce.pdf
    • https://static.usrfiles.com/ugd/b8c837_eed78987074f413aa1a7f32ec3bee87a.pdf
    • https://cdn.shopify.com/s/files/1/0435/1187/3688/files/15870111542.pdf
    • https://cdn.shopify.com/s/files/1/0437/5825/6286/files/kolin.pdf
    • https://cdn.shopify.com/s/files/1/0434/0970/3062/files/10311108483.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004322.bin
4ea6b29a71bd3107f22bfaf24e49ea52fc9e34e678defba0a82cb2c9ee42c8df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4322 6072 bytes
font_01_sfnt_off000057cf.bin
af5738ed51860ccdb6bd96b7218bcc7d0d47576b753ed86e2e95fcab3f33023f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57CF 8896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.