Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f916e86199e6866…

MALICIOUS

PDF

49.1 KB Created: 2020-09-16 19:39:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 748077874a820a594a7b3641c1e7d065 SHA-1: a3b2b7fa5ecd82136233d4e851f95b0dbd3d58d7 SHA-256: 9f916e86199e6866d5d4fb9d990115101cf7b2947ec4ea74e32d91d185fcac6f
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, with one identified as a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/wix?keyword=hover+chat+apkpure', which is likely intended to lead the user to a malicious site. The presence of numerous PDF links and a callback lure suggests a phishing or social engineering attempt.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=hover+chat+apkpure
    • https://8f33a481-cece-4811-a6d6-28cedb1a338b
    • https://c0fd9646-8574-4953-80a6-5c09f9a92f6a.filesusr.com/ugd/2e4eb4_ffc8963254864c2d8c1fb2ca312b6b29.pdf?index=true
    • https://866d91f1-39ab-401d-9c72-5dece5e70d5a.filesusr.com/ugd/64bd79_ba6dc674f5404e94b50cc6f6d7a322bb.pdf?index=true
    • https://5f3c3851-1e7e-4936-b86b-d901d9938e8a.filesusr.com/ugd/d1c05f_0510957281c449d4b5be4765de8767b0.pdf?index=true
    • https://996990ea-b196-4058-8c36-90dff756f056.filesusr.com/ugd/3eb4bd_11a5213b9f4f4c3ab078c364c2addd26.pdf?index=true
    • https://034a9de6-3c98-4513-9101-81d80f9951cc.filesusr.com/ugd/2dbf5a_c260aaa49310453a81cd231b5cf92033.pdf?index=true
    • https://4cefe5be-cf1e-4d61-a04c-722585a85a08.filesusr.com/ugd/8acad3_adb9fde14a494669b7ddd5112202d163.pdf?index=true
    • https://cc11f833-bd91-4cdd-b554-b7d65bb81d7b.filesusr.com/ugd/26481d_b24e0109e3c64274af2f59e7999c555e.pdf?index=true
    • https://a6090f1a-d5f4-4d16-8839-088137ee0524.filesusr.com/ugd/7baf93_5b5f12349ad84f78978ca9bfa57abefc.pdf?index=true
    • https://eae0e60f-0a34-4776-9867-95ea5c1919f9.filesusr.com/ugd/5f226b_affdcb623a3447c39a363a9c05c0f85f.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0434/1412/6759/files/zalukeba.pdf
    • https://cdn.shopify.com/s/files/1/0431/6545/0391/files/koveganejijufivajurarepi.pdf
    • https://cdn.shopify.com/s/files/1/0431/3301/0082/files/49783917370.pdf
    • https://cdn.shopify.com/s/files/1/0435/1036/6362/files/5459674207.pdf
    • https://037d37f5-2d30-4b47-91dd-cecb9ff8cb5f.filesusr.com/ugd/440e29_9d8d3a0dbe6a42ca962d4875774f1977.pdf?index=true
    • https://b6346132-eb87-4307-9f45-fde248d5e192.filesusr.com/ugd/8a4248_c0ddafa659674ef08d0a8a30108ac285.pdf?index=true
    • https://c3440fc2-a88c-48d1-9984-e2c36f31ade8.filesusr.com/ugd/4b874d_d1223dcc16d74af4b8c213105d3999af.pdf?index=true
    • https://8f33a481-cece-4811-a6d6-28cedb1a338b.filesusr.com/ugd/110ef3_4e9286fb94054995b45370bf38904395.pdf?index=true
    • https://4170bd71-7768-4867-8d27-232a2b15db8d.filesusr.com/ugd/ac8c68_3ba053a604414f0a904feb3757697b80.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000649c.bin
755c922695214497398241cfe3979619ebae5c8051eeb9ef63a77f506d27c7ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x649C 4896 bytes
font_01_sfnt_off0000753a.bin
e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x753A 1800 bytes
font_02_sfnt_off00007dc8.bin
f2836b4e047ae428ebfad90f4265211bc85d30894c033f46883571b024afd4ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DC8 10500 bytes
font_03_sfnt_off0000a1f5.bin
9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA1F5 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.