Malicious PDF — malware analysis report

Static analysis result for SHA-256 96bcc213c66c5ba3…

MALICIOUS

PDF

38.4 KB Created: 2020-08-15 19:51:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62df97d9dc7ba397aa6b1eab307f8e6a SHA-1: 7aacf04999372fd3a58732d7b5fdb02e454be1f9 SHA-256: 96bcc213c66c5ba39b7afef61f97b49dd322c7c8df30e982f0edcbe20754e757
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in T1059.001 PowerShell

The PDF file contains a significant number of embedded URLs, with a critical heuristic firing indicating a malicious redirector link to 'ttraff.com'. Another critical heuristic identified it as a PDF link farm, with 28 external PDF links. The document body, though heavily obfuscated, contains references to these URLs, suggesting a coordinated effort to distribute malicious content or phish users. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=maimeri%20puro%20pdf
    • http://files.fresnocatering4u.com/uploads/1/3/1/3/131398374/vabalisivalonewanisu.pdf
    • http://files.talltalesuf.com/uploads/1/3/2/8/132815872/3f4b47.pdf
    • http://rajupi.sheafferselect.com/uploads/1/3/0/9/130969130/desekepebekus.pdf
    • https://cdn.shopify.com/s/files/1/0435/3343/5029/files/66057569176.pdf
    • https://cdn.shopify.com/s/files/1/0437/8345/4872/files/fajitalanolujoduvuzegolux.pdf
    • https://cdn.shopify.com/s/files/1/0431/2684/9700/files/948740237.pdf
    • https://cdn.shopify.com/s/files/1/0434/0236/3045/files/agriculture_supervisor_notes.pdf
    • https://cdn.shopify.com/s/files/1/0431/6856/3355/files/86769571726.pdf
    • https://cdn.shopify.com/s/files/1/0431/3507/4465/files/witivavum.pdf
    • https://cdn.shopify.com/s/files/1/0440/1253/5958/files/bahubali_movie_hd_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/0230/6468/files/telecom_oss_bss_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0427/4746/1788/files/adeptus_mechanicus_v8_codex.pdf
    • https://cdn.shopify.com/s/files/1/0438/2746/2301/files/wekip.pdf
    • https://cdn.shopify.com/s/files/1/0428/4229/2390/files/vegizuzomuzepu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a18.bin
3caf113f3861829455ddc295b3a2e65606b6afefc81c2b7d78a5757cc630a14f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A18 4984 bytes
font_01_sfnt_off00006af7.bin
041cd9d11f2d94df5486a5b6c940ddf31af6749b38450b89d73807e956a93afa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AF7 10172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.