Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3a1a3cb51ef762b…

MALICIOUS

PDF

57.9 KB Created: 2020-09-02 22:39:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 36e3530007ad8d609301fcd35406e6d9 SHA-1: 84854e79c21a26a0f3d2e8850e689714363be0c1 SHA-256: a3a1a3cb51ef762b96ec1bf24db4334fd9316baa051fd51dc81a7aae78a89916
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=whatsapp+plus+latest+version+update'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links. The presence of a visual download button lure further supports the malicious intent of redirecting users to potentially harmful content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=whatsapp+plus+latest+version+update
    • https://static.usrfiles.com/ugd/3801ff_21ac4403ebbf454db95ec369e72988e0.pdf
    • https://static.usrfiles.com/ugd/74c34a_97bd48aaab18474e984801a8d194e456.pdf
    • https://static.usrfiles.com/ugd/ab63e3_18221a145d8a4bf9ae3b85fbb38d1c46.pdf
    • https://static.usrfiles.com/ugd/37428b_f49b8a7ca5bf462b8030b00301a7c3a1.pdf
    • https://static.usrfiles.com/ugd/e0d0cf_647877edf41547149b40aa6c27ae458f.pdf
    • https://cdn.shopify.com/s/files/1/0430/6770/3457/files/vapasogurixibanot.pdf
    • https://cdn.shopify.com/s/files/1/0438/3450/7426/files/dazumoner.pdf
    • https://cdn.shopify.com/s/files/1/0429/1274/3580/files/archeage_hiram_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/8787/9580/files/28232337233.pdf
    • https://cdn.shopify.com/s/files/1/0428/7699/3695/files/demon_hunter_havoc_guide_8._0.pdf
    • https://static.usrfiles.com/ugd/d5415a_60abd56ef76a4c22b8ba9d7a5e0a7635.pdf
    • https://static.usrfiles.com/ugd/f65518_6e2690e8581e4261b79f2f8670d0795c.pdf
    • https://static.usrfiles.com/ugd/cafc24_14a057ca99364638b521707c09b869e8.pdf
    • https://static.usrfiles.com/ugd/52b593_cccf8b58b4ed4364824a8613bba43cbd.pdf
    • https://static.usrfiles.com/ugd/0c41e7_633fc268aa784b56a6cd951e178f2898.pdf
    • https://static.usrfiles.com/ugd/c8df25_4e7e8732a19343d0a39ed4d4cbec5245.pdf
    • https://static.usrfiles.com/ugd/b8c837_c91a8d6cd1764ee89fb98ba89efd4be0.pdf
    • https://static.usrfiles.com/ugd/ed8107_cdd926cc465f43a2aa5cf8991eae1209.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000083c7.bin
63bfb8ccd63c94ac1c9a3b7953208f93c225105369c7a657f2c122f9d5c1c64e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83C7 5120 bytes
font_01_sfnt_off00009535.bin
fc4021e369c7333a3e2698b65512cd5ca33aa0a3949f6c925ad90d66ca89f0ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9535 2528 bytes
font_02_sfnt_off0000a066.bin
4c8f5bb30eb5ad506bff8b1b1ace2e361e2114c84f15f57b98a329f83444888e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA066 10244 bytes
font_03_sfnt_off0000c3a2.bin
1a2cef344135cdcc96c5e1f54e34dedc508871894fe74269a84f378fcf36fd5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC3A2 16392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.