Malicious PDF — malware analysis report

Static analysis result for SHA-256 a13e06511e5a0492…

MALICIOUS

PDF

43.1 KB Created: 2020-08-29 09:42:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10d1cb1e5066d52204ba8dd41ca6b0d5 SHA-1: 921c575ba3378aa6f29d4b957a0da5102ea3ac8a SHA-256: a13e06511e5a0492063be9aeb9135b6bc3d7892c7fe37e3d4102a32c4787fb70
188 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a redirector URL (ttraff.com) which is flagged as malicious. It also hosts a large number of links to PDFs on Shopify, suggesting a link farm for SEO manipulation. The document body and heuristics indicate a social engineering lure, impersonating cloud storage and prompting the user to install a browser extension or download a file, a common tactic for malware delivery.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=google+drive+folder+as+zip+android
    • https://cdn.shopify.com/s/files/1/0432/0365/7887/files/59318111966.pdf
    • https://cdn.shopify.com/s/files/1/0433/0392/7973/files/6093019257.pdf
    • https://cdn.shopify.com/s/files/1/0431/5211/3820/files/chemical_principles_zumdahl.pdf
    • https://cdn.shopify.com/s/files/1/0440/4926/8886/files/17483717561.pdf
    • https://cdn.shopify.com/s/files/1/0430/6698/2561/files/bullet_physics_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/7551/8107/files/53253085008.pdf
    • https://cdn.shopify.com/s/files/1/0437/1654/2632/files/dilitejo.pdf
    • https://cdn.shopify.com/s/files/1/0428/1306/3327/files/23270017075.pdf
    • https://cdn.shopify.com/s/files/1/0430/6649/1041/files/gejinetavibozaxarad.pdf
    • https://cdn.shopify.com/s/files/1/0437/4288/8097/files/algebra_1_common_core_pearson_textbook.pdf
    • https://cdn.shopify.com/s/files/1/0431/2052/5469/files/gawazizatebedesazasebafam.pdf
    • https://cdn.shopify.com/s/files/1/0432/1555/2674/files/49400902026.pdf
    • https://cdn.shopify.com/s/files/1/0431/7141/4173/files/bullet_force_mod_apk_data.pdf
    • https://static.usrfiles.com/ugd/b8c837_1ae88f32c82d4561a969baeaeb101fa2.pdf
    • https://static.usrfiles.com/ugd/b8c837_b4899b6f54ef4011b82586438c58c599.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069e7.bin
9656a9517fca80dd2d1340534b0ea701ae374e28e66e696b28d10ffad89601ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69E7 5352 bytes
font_01_sfnt_off00007c45.bin
d70667afb0290cafee0dca581eddf8e4a1cc01debc0c020942134f37a2bef1e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C45 10152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.