Malicious PDF — malware analysis report

Static analysis result for SHA-256 96e81132ae3860eb…

MALICIOUS

PDF

48.8 KB Created: 2020-09-18 06:10:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a2c8e8fe8260017e6e07688535bda40 SHA-1: 7c28768202fd8b5f0b5a9eb7879c39184e96c22b SHA-256: 96e81132ae3860eb698d7b83d17e3a6380221fbd941483971f3a887ba40fc8fa
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a lure related to a 'hotel daily maintenance checklist' and embeds multiple links. One of these links, 'https://ttraff.me/wix?keyword=hotel+daily+maintenance+checklist', is flagged as a malicious redirector. The presence of a large number of external PDF links, many pointing to benign content, suggests a link farm technique to obscure the malicious redirector. The document body is heavily obfuscated but contains the malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=hotel+daily+maintenance+checklist
    • https://5ee2f4b3-fb07-464d-8772-601aee3d6f72.filesusr.com/ugd/162fe6_b7a490db98eb4bcc9cbfa45fdcc44cd5.pdf?index=true
    • https://bf7ae50f-91c2-4a55-94ba-ced4145510cd.filesusr.com/ugd/18574e_95d7d8058f2f4af1a8d4e25311b1ee9e.pdf?index=true
    • https://9fe6d368-1f04-4b9c-b607-a7c12b20f353.filesusr.com/ugd/fd7405_2f7f5de7f3724d4ca2a8932527f34f5a.pdf?index=true
    • https://384646d9-0dc2-4c7b-86ce-c37ef713a56d.filesusr.com/ugd/dcbeda_946ff27f790f43ab84d061bb14eb14e9.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0434/3562/2552/files/free_vector_sunglasses.pdf
    • https://cdn.shopify.com/s/files/1/0440/6129/4757/files/339402228.pdf
    • https://cdn.shopify.com/s/files/1/0438/4922/0256/files/aquaculture_engineering_journal.pdf
    • https://cdn.shopify.com/s/files/1/0463/1802/6917/files/67727774693.pdf
    • https://ce2101ce-064f-4c61-8db6-4a745971f788.filesusr.com/ugd/a98ecc_7727e18ce5fc42ab831af11de7bf905d.pdf?index=true
    • https://c9542937-718b-48cd-956b-f60dffa93089.filesusr.com/ugd/aef5b7_5e255ac4345e47b798dd472ecc6e3829.pdf?index=true
    • https://d235f7b4-ed58-4ef7-a1d1-28da6a249ee0.filesusr.com/ugd/d01287_d0db577ac0454f59ac902a6ba33c8484.pdf?index=true
    • https://61b243e2-a543-4b12-82d9-93c17dead116.filesusr.com/ugd/7f46b5_f340f8baacdb4be8b53583d026d40d07.pdf?index=true
    • https://0288cae5-63c5-4880-8a49-cdedfb6c50dd.filesusr.com/ugd/affb4a_9e5596aba9de4cc0914a907c81eb68de.pdf?index=true
    • https://9d932240-528c-4633-bed9-517c33222aa6.filesusr.com/ugd/83f04e_0d2b9a6a242a44978c000f02e1ee4f70.pdf?index=true
    • https://20511071-7642-49cc-aa8a-61100442daf6.filesusr.com/ugd/2eec94_c67343ed45004a47a4060541cb30a4ce.pdf?index=true
    • https://3961e292-8a19-4d6b-ad14-070299aeebbb.filesusr.com/ugd/3ce946_7b0a850e9da443c1a16a369d4b4e4830.pdf?index=true
    • https://ebcb39e2-b2c8-4bdc-89d6-edaef38f246a.filesusr.com/ugd/544c7e_7eba23f9fd52491381b7d2f6d5a7b6e2.pdf?index=true
    • https://171f88ea-a311-49e9-8e9f-faf7069ba6bc.filesusr.com/ugd/275374_e765857fe50242718b9e1496223a4e81.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://9d932240-528c-4633-bed9-517c33222aa6.filesusr.com/ugd/83f04e_0d2b9a6a242a44978c000f02

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b23.bin
200252715b53e03b5d76700006d9b23ea6bbbcdac0558e9e314a3cb8d4bd240d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B23 5208 bytes
font_01_sfnt_off00007cbb.bin
c9b4330ffb3f48cede619e04ba0daa4f0f4a45be5d9a1761a50c54803e18594e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CBB 10460 bytes
font_02_sfnt_off0000a0b6.bin
3c7cc8ae067af2be950886b4dad48a8bcd39dc6fddcc0714ff1a8f2c30be0771		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0B6 16220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.