Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae8a476dbacd2ecc…

MALICIOUS

PDF

75.8 KB Created: 2020-09-03 00:18:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 502eb621ccb53838035168e8e6266c1d SHA-1: f3f226c13b2b82a85484c7b015ab376e21f7d2db SHA-256: ae8a476dbacd2eccea6201c9f23c4d50c57016e0fd954e39f7c91a856489a52c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=full+form+of+pok+in+gujarati'. This URL is likely part of a phishing or scam campaign designed to redirect users to malicious websites. The document also contains a large number of external PDF links, suggesting a link farm or SEO poisoning attempt, with many pointing to Shopify domains which are often abused for hosting malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=full+form+of+pok+in+gujarati
    • https://static.usrfiles.com/ugd/ee4a13_6a81939cdd36442bad9156244213fdad.pdf
    • https://static.usrfiles.com/ugd/b11f6d_156a1e5e14ac4987b7cb13414f7cd444.pdf
    • https://static.usrfiles.com/ugd/a2e20a_8dd066f5f0534ac686004e71dd7bc6ac.pdf
    • https://static.usrfiles.com/ugd/9dda13_23aa8a58862549dba709d86cc7dd9c34.pdf
    • https://static.usrfiles.com/ugd/227d0f_e734c2d5635f4b7eb12626392daa267e.pdf
    • https://cdn.shopify.com/s/files/1/0431/2432/6564/files/mejufesarojoluva.pdf
    • https://cdn.shopify.com/s/files/1/0430/5790/5818/files/wenolijosunezusido.pdf
    • https://cdn.shopify.com/s/files/1/0433/6628/5464/files/38717710464.pdf
    • https://cdn.shopify.com/s/files/1/0429/3358/4035/files/gifege.pdf
    • https://cdn.shopify.com/s/files/1/0432/1745/3211/files/sugugebaluvuwil.pdf
    • https://cdn.shopify.com/s/files/1/0461/6473/8200/files/why_does_everyone_hate_sammy_hagar.pdf
    • https://cdn.shopify.com/s/files/1/0437/8768/1954/files/crystal_reports_2013_change_sql_query.pdf
    • https://cdn.shopify.com/s/files/1/0432/6352/5026/files/39712975551.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005694.bin
4c137a4aafbe6ed84311cfe9fee6bee9e9beceb2f2e9b97b11a5d2af39ca69b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5694 5136 bytes
font_01_sfnt_off00006801.bin
1620336da6018abf771a3b64a4739dbc5cc5761e5bcfd31f9568e9163b5e6178		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6801 2656 bytes
font_02_sfnt_off00007306.bin
778061bc12a3e7806d52a1624391743f2e703f8cd6887dddafb994fe6bb204ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7306 5560 bytes
font_03_sfnt_off000084c6.bin
e23308bb06bff427f4fe2d795198e016b2e9db23d45fd702446b15ef1a1323d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84C6 3048 bytes
font_04_sfnt_off000090d2.bin
6d897259d7ab9db79b0dbb16904cd99ff486aa7f4a475590a5d3e44eab6e0eed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90D2 2328 bytes
font_05_sfnt_off00009b8a.bin
d4cda5a9ecb2558448f754249352cd4d73a8f7efff03060ee9a54ebf713292d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B8A 2604 bytes
font_06_sfnt_off0000a6a0.bin
b3976ad28991401f3a7e0d936621f3963ed8fd81aff5bedc9e25cf6548b1959b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA6A0 2108 bytes
font_07_sfnt_off0000b074.bin
f5e2fa1b9846c83648ffd2c11d130cb6b07c4c1fbff830a000f29a5774ea98cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB074 5756 bytes
font_08_sfnt_off0000c345.bin
46ed44af4794226aa09b83baf84464707205f1c19d0baeac0da824bf89fd94b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC345 10092 bytes
font_09_sfnt_off0000e60b.bin
0415911e43b8105d8a6199a408195444484b26654c5bad18f23acbbff8687c89		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE60B 17100 bytes
font_10_sfnt_off0000ff07.bin
07a86e2ae480ee95467ac438f30004a7f0b5297c7d9034dee0069dcc36f2d562		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF07 5580 bytes
font_11_sfnt_off000112f1.bin
d404f64416bf1ff5ad76d6d0ab30c7620aa9735638cfece5436aad8d6ad80edc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112F1 2608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.