Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c35fd5b49cc4c3b…

MALICIOUS

PDF

43.3 KB Created: 2020-09-01 20:19:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 507deaecf1f7083c9a0de4913731d1c8 SHA-1: edae0f6880410fb0f59137d331091b72ad9d2ccf SHA-256: 8c35fd5b49cc4c3bc776176e7876974f25e9930c60f77fd479538848d908b761
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it points to malicious infrastructure. Additionally, PDF_SEO_LINK_FARM suggests a mass of external links, with the primary malicious URL being ttraff.cc. The document body, though heavily obfuscated, contains the malicious URL, reinforcing the lure to click on external links. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=betin+mobile+app
    • https://cdn.shopify.com/s/files/1/0449/2309/3147/files/college_physics_8th_edition_solutions_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/4940/9950/files/dogefeli.pdf
    • https://cdn.shopify.com/s/files/1/0431/6859/6123/files/digifujixuvokitapokatar.pdf
    • https://cdn.shopify.com/s/files/1/0429/4118/6215/files/pearson_verbal_ability_and_reading_comprehension.pdf
    • https://cdn.shopify.com/s/files/1/0467/8077/6601/files/49585368825.pdf
    • https://cdn.shopify.com/s/files/1/0435/8524/1256/files/fitofubisob.pdf
    • https://cdn.shopify.com/s/files/1/0441/0654/7352/files/char-_broil_gas_grill_performance_340b_test.pdf
    • https://static.usrfiles.com/ugd/b8c837_14d2ad49b4374aca9468dc11e86e9712.pdf
    • https://static.usrfiles.com/ugd/b8c837_1ea06ee8763242819b6ad57a77c297b8.pdf
    • https://static.usrfiles.com/ugd/5d2cf3_f722c24843864ebe9dbd6ce791aa17eb.pdf
    • https://static.usrfiles.com/ugd/b8c837_d09ffebd3a0548338f097d7359f8c037.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cff.bin
e1e431e052490a75b1ea8746a70bd3a3e007cefb81ecc59a9b7c1d40cd11e651		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CFF 4880 bytes
font_01_sfnt_off00007d81.bin
f4125930698ee78ce195119774fdbf897e4e4330b0524597d84da807da1993c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D81 10336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.