Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ae67cecb506c0a5…

MALICIOUS

PDF

271.8 KB Created: 2020-09-01 15:31:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 251f37dacf2e1f5220d75dd66de86292 SHA-1: 4aa01af60a380cb31944dbc9b91f178de14ab6ad SHA-256: 8ae67cecb506c0a5bdfa623a8f18e32ea6b51750af6f3e3a4e38a133768177f8
262 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.link/wix?keyword=firefox+50+esr'. Additional heuristics indicate social engineering tactics, including a fake browser security check, a lure for browser updates, and a request for recovery secrets, all designed to prompt user interaction. The document body, though heavily obfuscated, also contains the malicious URL, reinforcing the attack vector.

Heuristics 7

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Fake browser/security check with command step high SE_FAKE_BROWSER_SECURITY_CHECK
    Document combines browser or security-check verification language with instructions to paste or run a command
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=firefox+50+esr
    • https://static.usrfiles.com/ugd/696b8a_c56f2232f61d4d8d8d87e0628a7ce8f2.pdf
    • https://static.usrfiles.com/ugd/e0d0cf_e06c6623bd0c4712846969f3e809209c.pdf
    • https://static.usrfiles.com/ugd/4b7290_d443b06aa4824b4c91b73c314b176224.pdf
    • https://static.usrfiles.com/ugd/a838c0_eda7818feeb54a999675c9bb98a82809.pdf
    • https://static.usrfiles.com/ugd/b8c837_e98a78be759f4755a6cfcf6a87a56ff2.pdf
    • https://static.usrfiles.com/ugd/3e9e83_64f665b8dbf143e6bbf0180e9de1308e.pdf
    • https://static.usrfiles.com/ugd/99965f_9a43ef0fa4134c3fafeebb34534a154b.pdf
    • https://static.usrfiles.com/ugd/b8c837_a35b832cc50148b8aeebe5931d5bafee.pdf
    • https://cdn.shopify.com/s/files/1/0432/2341/6987/files/south_african_constitution_bill_of_rights_summary.pdf
    • https://cdn.shopify.com/s/files/1/0428/4468/4454/files/vabasavowifatevedavesuk.pdf
    • https://cdn.shopify.com/s/files/1/0430/9119/8112/files/norumufezelu.pdf
    • https://cdn.shopify.com/s/files/1/0437/5475/0106/files/93509586958.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003d642.bin
9f07a400e75c177e496f395344003d4a7545e118b36bf59d530d47f9bb3550f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D642 6168 bytes
font_01_sfnt_off0003e5e1.bin
4b0e513af676d3121d5ad3bb10bf709a32e72916786be63127208ac4095f0903		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E5E1 4808 bytes
font_02_sfnt_off0003f65c.bin
d6986dfd6650a03dffa105fce2990ba70c58526edb747e380ced6373f971c008		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3F65C 15260 bytes
font_03_sfnt_off00042732.bin
0d9b6ab0354368cdfa5a4e52e4dfb250ede80cec4283e48fafec0a3c1c1d30df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x42732 1736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.