Malicious PDF — malware analysis report

Static analysis result for SHA-256 b095cb604326978f…

MALICIOUS

PDF

42.6 KB Created: 2020-09-01 21:04:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa8fce70469643e34feaa290de917a61 SHA-1: 8bfbb04ee3748ae04cc13a3baf6e121379c954d8 SHA-256: b095cb604326978feac990ad86173d9d3caf672ae36c97f0e9270b693f4dbbf1
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to 'ttraff.club', which is associated with a credit report lure. It also exhibits characteristics of a PDF link farm, with numerous embedded URLs. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the phishing or malware distribution intent. No scripts were extracted from this sample.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=credit+report+experian+free
    • https://static.usrfiles.com/ugd/b8c837_7383c48d06cb41799bd6d22c2e475cff.pdf
    • https://static.usrfiles.com/ugd/0789d5_8bda4f1fa328423f9bf03ba902083935.pdf
    • https://static.usrfiles.com/ugd/b8c837_cade67cea84a41fc9e88258cc3f9f00a.pdf
    • https://cdn.shopify.com/s/files/1/0432/4281/5643/files/telugu_catholic_bible_free.pdf
    • https://cdn.shopify.com/s/files/1/0430/7861/5189/files/free_online_bollywood_movies_sites.pdf
    • https://cdn.shopify.com/s/files/1/0430/4365/1735/files/89278576820.pdf
    • https://cdn.shopify.com/s/files/1/0446/5029/9555/files/js_to_lowercase.pdf
    • https://cdn.shopify.com/s/files/1/0428/4946/8582/files/dinusatari.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/58045305643.pdf
    • https://cdn.shopify.com/s/files/1/0454/2119/9516/files/alarm_manager_in_xamarin_forms.pdf
    • https://cdn.shopify.com/s/files/1/0431/2799/6565/files/machine_design_shigley.pdf
    • https://cdn.shopify.com/s/files/1/0430/7098/0247/files/81034200233.pdf
    • https://static.usrfiles.com/ugd/538d67_cf6d67b4c75042aea6d8e76d8a98bd7d.pdf
    • https://static.usrfiles.com/ugd/90423f_dca4d1a8d79849498bfddfb2e02d812e.pdf
    • https://static.usrfiles.com/ugd/b8c837_75560a67bc894a448044a18ddd58077f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bc6.bin
79bc07c55e940dac5b71446a75f21b6e711f3cdfeb5db5b0573f3c7c84196a12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BC6 4796 bytes
font_01_sfnt_off00007c2a.bin
dd76eb1cf372a2bb3d6f79f6572b1cdb84d57219d24e9dfabfe701e3dabcef44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C2A 9816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.