Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0e683dc40b0ded5…

MALICIOUS

PDF

35.9 KB Created: 2020-08-30 08:25:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6917fdfdcd6667acbb6fe797cc67e6d9 SHA-1: 865a48d98e1bbc17dc5ae77d783e713104dac91b SHA-256: b0e683dc40b0ded5b09d45ded7308dd584bd9eab6d5525972d98da897de95095
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/wix?keyword=project+book+pdf', is designed to lure users into clicking it under the guise of a 'project book pdf'. The document also contains a large number of external PDF links, many of which point to benign content, but the primary malicious link is the highest priority IOC.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=project+book+pdf
    • https://static.usrfiles.com/ugd/b8c837_874d9c6da6c144c6b21e727e9e793d03.pdf
    • https://static.usrfiles.com/ugd/b8c837_233d63fd43384f64a6583dfb153e8502.pdf
    • https://static.usrfiles.com/ugd/b8c837_aa1d48ee2241479585c769cc68060bd9.pdf
    • https://static.usrfiles.com/ugd/739437_72c74afad2594df69e93076284f9d622.pdf
    • https://static.usrfiles.com/ugd/6cfc61_6ac066513f8449399ac8af21276d8d06.pdf
    • https://static.usrfiles.com/ugd/15ebe2_e5ab26d70f16461bbdef8791ce8543fd.pdf
    • https://cdn.shopify.com/s/files/1/0431/1898/5370/files/smok_x_priv_kit_instructions.pdf
    • https://cdn.shopify.com/s/files/1/0429/9243/5359/files/criminal_law_book_1_free_download_philippines.pdf
    • https://cdn.shopify.com/s/files/1/0430/0531/3177/files/lunch_box_movie_download_full.pdf
    • https://cdn.shopify.com/s/files/1/0429/6045/3785/files/continuously_variable_transmission_seminar_report.pdf
    • https://cdn.shopify.com/s/files/1/0437/8663/3374/files/wejuvodorubunupipoguxivor.pdf
    • https://cdn.shopify.com/s/files/1/0451/4018/1146/files/bose_quietcomfort_25_android_vs_apple.pdf
    • https://cdn.shopify.com/s/files/1/0435/3536/8346/files/siwejijubenifovafuxipovuj.pdf
    • https://cdn.shopify.com/s/files/1/0440/0319/7078/files/59696394975.pdf
    • https://cdn.shopify.com/s/files/1/0430/4135/7973/files/apple_10-_k_annual_report_2019.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ef6.bin
5f8af1ce61a3a0d59ceb5c8aa42c4b83071b0e415c23aabced70b390f9b97017		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4EF6 5012 bytes
font_01_sfnt_off00006018.bin
d31f58f6d2459e44813c1bded7b5faac6e6b9cdcc1d49762c9e6299bc20abc85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6018 10332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.