Malicious PDF — malware analysis report

Static analysis result for SHA-256 916d33bbbc6d6534…

MALICIOUS

PDF

52.7 KB Created: 2020-07-09 20:05:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0bfe5c6074c06157cadad001e887a3de SHA-1: 31339632e247cfcc63f5eae4221d8d349cfe5f90 SHA-256: 916d33bbbc6d653459c6d9c5290e15275863849ffd4a6481a79772470f775247
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links to external websites, including a redirector at 'ttraff.com', suggesting a phishing or malware distribution attempt. The presence of a 'password-protected archive handoff' heuristic indicates that the document may be designed to trick the user into downloading an encrypted payload, which is often used to bypass security gateways. The document body itself is heavily obfuscated but contains references to the linked URLs.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=car%20rental%20system%20project%20pdf
    • http://files.metaburger.com/uploads/1/3/0/7/130776591/kivigedelitiwifuwuni.pdf
    • http://files.thefilamentstudio.com/uploads/1/3/1/6/131606035/fakesijerisaz.pdf
    • http://files.strawberryflats.com/uploads/1/3/0/8/130813401/46dbc8435b1ef9a.pdf
    • http://files.liquidsunshinedesigns.net/uploads/1/3/1/6/131606644/6427307.pdf
    • http://files.customerfocusedlearning.com/uploads/1/3/0/7/130738814/bavajesapamukogobos.pdf
    • http://files.centrepointecincinnati.com/uploads/1/3/1/4/131406413/e08b8.pdf
    • http://files.racepartsliquidators.com/uploads/1/3/1/6/131636914/takipisot.pdf
    • http://files.outdorr.com/uploads/1/3/0/8/130874541/92a9b7097.pdf
    • http://files.wychocki.com/uploads/1/3/0/7/130738562/gobodovusalivalub.pdf
    • https://likulorasix.files.wordpress.com/2020/07/83692044588.pdf
    • https://patebojotu.files.wordpress.com/2020/06/32592479787.pdf
    • https://buxanoxunos.files.wordpress.com/2020/06/fowilesunetekadep.pdf
    • https://nurapanaki.files.wordpress.com/2020/06/44026159936.pdf
    • https://zopoluwo.files.wordpress.com/2020/06/noxexifowikebi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/85947343199.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vazakiliduvapi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/jedufejaselikaruratemop.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/99203043279.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/koxumugude.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/26384136461.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008f04.bin
7c532479af638e437a1d93b3c05027e7d5b0bae495d05cc28f78d9cc57cf474a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F04 5244 bytes
font_01_sfnt_off0000a0d9.bin
2e3625fbd04c3f36fae1c115c958c019b847d779df0c6ddafdfa8d1a8aa48a46		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0D9 10716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.