Malicious PDF — malware analysis report

Static analysis result for SHA-256 addb0fa36e03b35b…

MALICIOUS

PDF

71.2 KB Created: 2020-08-31 04:05:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3fefb52fccd01322af1f389195f384e6 SHA-1: f0f66c99b78d5beccde9e43f59dd735935d1705f SHA-256: addb0fa36e03b35b3217dbc7489443e3f2db51040e31eab1218d770cc2829b7c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used for SEO poisoning or to distribute malicious content. One of the embedded URLs, https://ttraff.com/wix?keyword=%25D9%2585%25D8%25A7+%25D9%2587%25D9%258A+%25D9%2585%25D9%258A%25D9%2584%25D9%2581+%25D8%259F, is flagged as a known malicious redirector. The file was generated using wkhtmltopdf, suggesting it was likely created programmatically to host these links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=%25D9%2585%25D8%25A7+%25D9%2587%25D9%258A+%25D9%2585%25D9%258A%25D9%2584%25D9%2581+%25D8%259F
    • https://static.usrfiles.com/ugd/b8c837_09eb44ff6261448a9168e17322fdcf36.pdf
    • https://static.usrfiles.com/ugd/b8c837_32f73daafee8453a929d6bc293af174e.pdf
    • https://static.usrfiles.com/ugd/5b9a87_1516a5cb1a954b6c8cb1f7ff71c806a1.pdf
    • https://static.usrfiles.com/ugd/b910ae_3f190bf6198f481284118c277cfc5458.pdf
    • https://static.usrfiles.com/ugd/10e3af_f1561b2362854f7fb094333a0b214e5d.pdf
    • https://static.usrfiles.com/ugd/bf07b1_688d96676e514ad8b01e557427dd4a71.pdf
    • https://static.usrfiles.com/ugd/b8c837_de39db9160a14e5b852ed7e15ec69196.pdf
    • https://static.usrfiles.com/ugd/b8c837_933b5050f3a841fca1a8337ce0648192.pdf
    • https://static.usrfiles.com/ugd/a771bd_1fa3dea20c894e918eeaad8b31394bbe.pdf
    • https://static.usrfiles.com/ugd/19ce5d_b84d2dd68b9d4f779a129c35d8aaac12.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000d489.bin
5b9048a884c5a0109c2f045b906b9681daca2060a9d619f5d14c2fdce705757a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD489 33120 bytes
font_00_sfnt_off00008d63.bin
0839d7670eb8be446f52832e8c720d0f625510ceeadeab5b1dd4203940110fb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D63 4068 bytes
font_01_sfnt_off00009b41.bin
7d338c66b0c443360c97b3330db175afe98493cf5200c55c65e45d0d9b568ae2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B41 17192 bytes
font_02_sfnt_off0000b44e.bin
522a9347adc20f398e6c69f444ecf878af47b68abd48123efadcccc8cd6ad17a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB44E 9348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.