Malicious PDF — malware analysis report

Static analysis result for SHA-256 aadc3bffcdb6e388…

MALICIOUS

PDF

54.5 KB Created: 2020-09-22 00:07:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83f41f9c95ba5903372a2baece419076 SHA-1: b8a29e010c61af7e633384df21ee3d73d61a55e3 SHA-256: aadc3bffcdb6e38851b154c12c2a0af394a93b6fdf8ad876a71b2bad10e86384
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.001 PowerShell

The PDF file contains a lure related to 'Audials one 2020 discount' and embeds numerous links. One of these links, 'https://ttraff.link/wix?keyword=audials+one+2020+discount', is identified as a malicious redirector. The document also exhibits characteristics of a link farm, with many links pointing to external PDFs hosted on various domains. The heuristic 'SE_BROWSER_INSTALL_LURE' suggests a social engineering tactic to trick users into installing unwanted software or visiting malicious sites.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=audials+one+2020+discount
    • http://files.blastingworksolution.com/uploads/1/3/0/7/130739628/tokawogunuleforez.pdf
    • http://lofagukiz.with-jill.com/uploads/1/3/2/6/132695454/ee406a92.pdf
    • http://files.wauwatosabasketballclub.com/uploads/1/3/0/7/130775848/0658c9a9f0.pdf
    • http://files.goalpublications.com/uploads/1/3/2/7/132740362/3142829.pdf
    • https://cdn.shopify.com/s/files/1/0430/4479/8613/files/27708835853.pdf
    • https://cdn.shopify.com/s/files/1/0431/2177/0656/files/adidas_size_guide_trousers.pdf
    • https://cdn.shopify.com/s/files/1/0437/4000/4501/files/52094804947.pdf
    • https://cdn.shopify.com/s/files/1/0439/5322/5883/files/mojatafinigikif.pdf
    • https://f24250af-e699-4fab-a352-8c0a0355cb9e.filesusr.com/ugd/f0e51d_c3b05f7bda7e4b3eb8f8456c8e79cf6c.pdf?index=true
    • https://dbc321f8-e931-4e28-a8bb-852133f086fd.filesusr.com/ugd/67e251_c88b205d62af4bb3854bce56ca10b5d0.pdf?index=true
    • https://eceded20-9b36-4fa0-9f3d-86f98feb2956.filesusr.com/ugd/a640e9_efdb99b18df3452e80af5725aff1c6b8.pdf?index=true
    • https://b5e37d31-d4f2-4930-a10c-c03ecff41b57.filesusr.com/ugd/9eb187_9e3daded4143400d9d527b7fcaefda91.pdf?index=true
    • https://025fe4c3-cf83-47de-a13a-2a8f344de6cf.filesusr.com/ugd/98e2de_ad75ee7cba6a4877bc392967f96e104f.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/3293/6605/files/vizudalotilovo.pdf
    • https://cdn.shopify.com/s/files/1/0429/2693/2124/files/52107802672.pdf
    • https://cdn.shopify.com/s/files/1/0437/9354/7424/files/block_launcher_pro_apk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062ae.bin
3d4760ca295192c89086870ebbac49c5a5945404ea6ab57fca452cf2db5f569a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62AE 6440 bytes
font_01_sfnt_off000072a2.bin
3e24c0753c84974088594a0c63d838580c0c21ff27b442a2894b543ea309cf07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72A2 4984 bytes
font_02_sfnt_off0000839b.bin
86cbe0f50f4aa61d4f7cca564ebe8e7e22f67358b84200378fff3b63ef9f9924		 pdf-font-stream PDF embedded font (sfnt) at offset 0x839B 10604 bytes
font_03_sfnt_off0000a829.bin
52db30b66cfb76898988bc7c6ed152514c301740808ab95bec9c68e49df23550		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA829 16036 bytes
font_04_sfnt_off0000bc91.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC91 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.