Malicious PDF — malware analysis report

Static analysis result for SHA-256 a47e3586cc0540eb…

MALICIOUS

PDF

41.6 KB Created: 2020-09-16 23:58:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d89a1cdb5b3e5b2572efedfbab8f843 SHA-1: a5c9da94b165b6d002f6ad607311aeaa710f3ac2 SHA-256: a47e3586cc0540eb2a9573d93e456537aa63b9f3f2eede67cde2b93ca66427a3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.me, which is disguised as a 'Cub scout bear leader manual'. The document also includes a large number of links to other PDFs hosted on Shopify, likely as part of a link farm to improve search engine ranking for malicious content. No scripts were extracted, but the presence of a malicious redirector and the lure content strongly suggest a phishing or scam attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=cub+scout+bear+leader+manual
    • http://judik.jasmarezcats.com/uploads/1/3/2/6/132695903/masojakil.pdf
    • http://files.baconandbears.com/uploads/1/3/2/6/132681796/zenorar-rejerosupu-nutanega-xofexepize.pdf
    • http://files.goldlawcolorado.com/uploads/1/3/1/0/131071114/saxov.pdf
    • http://files.annamae22pngstock.com/uploads/1/3/0/8/130813770/2810057.pdf
    • http://files.drjohndegarmofostercare.com/uploads/1/3/0/7/130775336/sedojogorivuvemimiwe.pdf
    • https://e65ff2a4-1f75-4b9c-80b1-46f56d8b376e.filesusr
    • https://cdn.shopify.com/s/files/1/0431/8239/1451/files/nukujawafef.pdf
    • https://cdn.shopify.com/s/files/1/0436/4114/3454/files/auditing_and_assurance_services_9th.pdf
    • https://cdn.shopify.com/s/files/1/0432/8180/9558/files/8343111550.pdf
    • https://cdn.shopify.com/s/files/1/0434/9788/1764/files/nonprofit_corporation_bylaws_template.pdf
    • https://cdn.shopify.com/s/files/1/0432/4291/3955/files/noxuribuzofinapol.pdf
    • https://1e23c6c1-8353-4330-8201-30fb12d5e459.filesusr.com/ugd/625844_db26f6fd97b24eb7b488c99b67dc7bdb.pdf?index=true
    • https://819b5e83-8447-47a3-bdcb-7401c5a09107.filesusr.com/ugd/5f5755_e0816c606c844f9b859beb06343a4eb3.pdf?index=true
    • https://9dcf42da-17d1-4ae7-9fcd-0e0941380461.filesusr.com/ugd/eb6612_50225242ff1744a1b2dc78c2556e3af3.pdf?index=true
    • https://17208143-f349-4f54-a3b7-de812f2bfb1c.filesusr.com/ugd/76aeb6_7e19b4e70c9b4be989ac57613710af0a.pdf?index=true
    • https://30b400f6-c147-4f2a-9628-122efaf8604f.filesusr.com/ugd/01f9b9_04bb93d43b2c4cd6b22229e54be0fa2f.pdf?index=true
    • https://26108255-8c63-43e6-ae59-c36ce5e9a3af.filesusr.com/ugd/610d21_554c9b0c4ba34005b2cf3fa695057a8d.pdf?index=true
    • https://2601707a-3543-4977-a706-2d43c793de87.filesusr.com/ugd/5e8de6_7ed8a52bcb784bd0947b65e90e8d13d7.pdf?index=true
    • https://eca47de3-87c5-48c8-8a8d-f795bcf9631b.filesusr.com/ugd/957eb4_12054a552c6544bbaa8cff028d54063e.pdf?index=true
    • https://e65ff2a4-1f75-4b9c-80b1-46f56d8b376e.filesusr.com/ugd/145364_0a688ec8d19e4cc19d6aa7083c3468a7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065e7.bin
33f691fe43706ce311a98bd6b81fb4db4ca42f75b1039f457d3ffd1606ddace3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65E7 5128 bytes
font_01_sfnt_off00007735.bin
94fe133f825b3b600821ac0ec35abc23eda7183f8810989f48215932e00d39b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7735 9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.