Malicious PDF — malware analysis report

Static analysis result for SHA-256 977f86ad6f7fd578…

MALICIOUS

PDF

42.2 KB Created: 2020-08-02 07:55:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96c148ad613c0a10b9a75f901098d649 SHA-1: d3db722ff10ee9a084f031f536186f61216688bc SHA-256: 977f86ad6f7fd578b8135685c6318061da78023c855c92a6bc19d438907bcd77
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a lure related to a 'Bosch 500 series washer manual' and embeds multiple links. One critical heuristic indicates a malicious redirector link pointing to 'ttraff.com', which is designed to lead users to malicious content. The presence of a 'Visible LOLBin command execution instruction' heuristic suggests that the document may also contain embedded commands or instructions to execute malicious code, likely through PowerShell or similar tools, to further the attack. The document body itself is heavily obfuscated but contains the malicious URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bosch+500+series+washer+manual
    • http://files.stbartswednesbury.com/uploads/1/3/1/3/131379329/sutujefozasid.pdf
    • http://files.eliteculinarychef.com/uploads/1/3/1/8/131858916/9241938.pdf
    • http://files.soundrelaxationcentre.com/uploads/1/3/1/0/131070786/efc73b5d67b34c4.pdf
    • http://files.amaxdesigns.com/uploads/1/3/0/7/130739444/numupijorisawatemole.pdf
    • http://files.bellemaisonmassage.co.uk/uploads/1/3/1/0/131070289/zevokigad-tujelab-jiwomutejapatis.pdf
    • https://cdn.shopify.com/s/files/1/0437/0222/3013/files/rekugufolawofuxuwefil.pdf
    • https://cdn.shopify.com/s/files/1/0432/9147/6133/files/get_dell_service_tag_cmd.pdf
    • https://cdn.shopify.com/s/files/1/0436/4707/4464/files/campbell_biology_10th_edition_ebook.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/51982080438.pdf
    • https://cdn.shopify.com/s/files/1/0427/5997/9174/files/vawiliviveloxesetazig.pdf
    • https://cdn.shopify.com/s/files/1/0429/1523/3948/files/sofeferuxagobiku.pdf
    • https://cdn.shopify.com/s/files/1/0429/7791/9129/files/tevipofawifekevoxigo.pdf
    • https://cdn.shopify.com/s/files/1/0433/7162/6659/files/17569245999.pdf
    • https://cdn.shopify.com/s/files/1/0434/7107/7542/files/98788412578.pdf
    • https://cdn.shopify.com/s/files/1/0434/4178/2950/files/wexaxopuka.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mapitawaluzosamorexub.pdf
    • https://cdn.shopify.com/s/files/1/0433/7198/7098/files/connors_assessment.pdf
    • https://cdn.shopify.com/s/files/1/0439/4228/1371/files/66195099969.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d76.bin
355ca932c47110145b64e11e67dc88c8573e958cbcba2122e38ddc939bdefb21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D76 5448 bytes
font_01_sfnt_off00006fec.bin
110acd037646028a9c90422152b18e5f4b78274903e9e2213c17cd5874cd44fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FEC 13832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.