Malicious PDF — malware analysis report

Static analysis result for SHA-256 a71bbd5774398ab0…

MALICIOUS

PDF

330.1 KB Created: 2020-09-02 17:50:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 29967e7f48f2d092231b563090b8335b SHA-1: c430250036f01b13522f9d599ec710e984aa5bd7 SHA-256: a71bbd5774398ab005ffa2fb6420821fb3508470d5b796bf685fa2c1d48eb51b
110 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1204.001 Malicious Link

The PDF file contains a link to a known malicious redirector, ttraff.cc, which is associated with distributing malware. The document also exhibits characteristics of a lure, including a visual download button and instructions to use remote support tools, suggesting an attempt to trick the user into installing or running malicious software. The primary IOC is the malicious redirector URL.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=autodesk+autocad+civil+3d+2013+free
    • https://cdn.shopify.com/s/files/1/0429/3872/8611/files/58452295657.pdf
    • https://cdn.shopify.com/s/files/1/0431/6856/3355/files/87134651908.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/80804151078.pdf
    • https://cdn.shopify.com/s/files/1/0433/8375/0821/files/40492240281.pdf
    • https://cdn.shopify.com/s/files/1/0439/1672/2344/files/23969990246.pdf
    • https://cdn.shopify.com/s/files/1/0437/5199/7592/files/9421820622.pdf
    • https://static.usrfiles.com/ugd/b8c837_60f8c5c0c5174378b206cd19527f1baf.pdf
    • https://static.usrfiles.com/ugd/314c35_c065c6829ed542d791eaa3c54d801276.pdf
    • https://static.usrfiles.com/ugd/4542d9_2965373d1bcb494eb2c5f880e0aba58f.pdf
    • https://static.usrfiles.com/ugd/3f4b99_7bedb329a65b4c7fa2b871bf079b58ef.pdf
    • https://static.usrfiles.com/ugd/12daa7_07bc7a9d14324cd0838cbdca626462ec.pdf
    • https://static.usrfiles.com/ugd/078c79_fd77f054f9d44b4685dec5dcb83bfb0d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004bb25.bin
aa9cbc4afaf6eef612732daca3b277fdf1e988c61f96118838b0f8936dd1964f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BB25 5616 bytes
font_01_sfnt_off0004ce63.bin
bc7771497daa8e3f1940e90ce05f6d29d794dc687067626dbde4248a9ce74248		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CE63 17420 bytes
font_02_sfnt_off00050419.bin
c988415812f594187b0a0ed75dc52802e798e1695b49bd300f8412a65040a449		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50419 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.