Malicious PDF — malware analysis report

Static analysis result for SHA-256 8740026c76d4e91f…

MALICIOUS

PDF

46.1 KB Created: 2020-09-17 07:15:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9700e72354777dbf9afd0cdd411ad700 SHA-1: 208aae7d7707cd0487952ca93195b10782cbf73d SHA-256: 8740026c76d4e91f9097f5c0ebafbfcba9e60f64035e346fa00bf89eb897f7f4
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=ifile+organizer+apk'. Additionally, it exhibits a PDF link farm heuristic, suggesting a large number of outbound links, with one example being 'https://f546f096-eeda-4028-92e1-ea0da715d17c.filesusr.com/ugd/1715bf_af900fff0aa84b9ea076d4c4d73bfebf.pdf?index=true'. The presence of a 'download button' lure further supports the malicious intent. No scripts were extracted, and the document body was heavily obfuscated, but the link analysis strongly indicates a phishing or malware distribution attempt.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=ifile+organizer+apk
    • https://f546f096-eeda-4028-92e1-ea0da715d17c.filesusr.com/ugd/1715bf_af900fff0aa84b9ea076d4c4d73bfebf.pdf?index=true
    • https://e3ee72df-1642-466f-84a7-60fdaf2d1d7e.filesusr.com/ugd/49f5ef_cc6a32eee75145e193c31ccea257b4b2.pdf?index=true
    • https://7f621e26-5a03-4006-8947-6e2948f86850.filesusr.com/ugd/cf9ff1_0d55745568a346678e55f6df4d661dc9.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0454/7185/8838/files/listado_de_medicamentos_aines.pdf
    • https://cdn.shopify.com/s/files/1/0431/5031/1579/files/english_grammar_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/3199/4280/files/18460122588.pdf
    • https://cdn.shopify.com/s/files/1/0431/7790/2241/files/pelebanudavene.pdf
    • https://8d7303db-7d70-440b-9318-30a6bd508c34.filesusr.com/ugd/dcf311_1ab88dd46091497b80630e4f9f1be705.pdf?index=true
    • https://8f33a481-cece-4811-a6d6-28cedb1a338b.filesusr.com/ugd/110ef3_4e9286fb94054995b45370bf38904395.pdf?index=true
    • https://413d2652-c806-4d35-b629-a4a2baf1e4b4.filesusr.com/ugd/2f8cea_b49527b81a664cb6ba6f03e82203da6c.pdf?index=true
    • https://c535ee04-5e6d-40c0-8d72-4e781eca48a9.filesusr.com/ugd/dcbeda_dd3d849c2e124433944f655f94c38216.pdf?index=true
    • https://b28ca130-82d8-41cc-9ef3-394d6324601d.filesusr.com/ugd/451a43_78ff2e232c6849e5af8daacba4b08137.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006365.bin
4872cf58dd5e996081cebd475c02332230249c3d57165c171ec8f349e3f6bce7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6365 3168 bytes
font_01_sfnt_off00006ec3.bin
41eb62b21515d8b29beac74ec93ce0b57d762be0e4402a8dc91efc56662374dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EC3 4944 bytes
font_02_sfnt_off00007fad.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FAD 1800 bytes
font_03_sfnt_off0000883a.bin
16cd4100403c7e6339fe78ab727f1881c3cb1b8e8347e62a7f8998d9038b8145		 pdf-font-stream PDF embedded font (sfnt) at offset 0x883A 10236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.