Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4c9027e522a05f5…

MALICIOUS

PDF

55.0 KB Created: 2020-09-18 02:48:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ac71a05638094736f23d811d8d96ddb SHA-1: f7e1064ffb446280624a9c7a854b4a2572344a1f SHA-256: b4c9027e522a05f524b6e7de72cfd9eac46151d7bf4b6a9032a40da79b4ca5db
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious URL. Additionally, PDF_SEO_LINK_FARM suggests the document is part of a link farm, likely for SEO poisoning or to distribute malicious content. The embedded URL 'https://ttraff.link/wix?keyword=tc-helicon+voicelive+play+manual' is the primary indicator of malicious intent, likely leading to a phishing or malware download page. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=tc-helicon+voicelive+play+manual
    • http://files.mtasoftball.com/uploads/1/3/0/9/130969489/ec7ac.pdf
    • http://files.jakecassarbushcraft.com/uploads/1/3/1/4/131407635/watowubuf-kizewujedirena-pemixupop-fokenidevomo.pdf
    • http://files.toasttoroast.com/uploads/1/3/1/3/131398288/8775245.pdf
    • http://files.leitrimsocietyofny.com/uploads/1/3/0/7/130739993/d5ba04546.pdf
    • https://cdn.shopify.com/s/files/1/0435/9749/6483/files/15720388908.pdf
    • https://cdn.shopify.com/s/files/1/0435/4405/1864/files/datepicker_default_date.pdf
    • https://cdn.shopify.com/s/files/1/0432/0477/1999/files/livro_administrao_da_produo_e_operaes_ritzman.pdf
    • https://cdn.shopify.com/s/files/1/0459/8824/9757/files/85163288435.pdf
    • https://cdn.shopify.com/s/files/1/0438/4020/9056/files/63835402415.pdf
    • https://4aab7868-a0a8-4830-b31f-292eef03447d.filesusr.com/ugd/733c1f_7e271e4539de4634829b3e3aefe8747c.pdf?index=true
    • https://098be1f7-0995-4150-8115-6490becba06e.filesusr.com/ugd/370021_ec7165639cae46649a1120858b11c353.pdf?index=true
    • https://2096d154-1e19-4641-adcd-439e51bb05a7.filesusr.com/ugd/7ef0dc_15898f35f41546cc9fcc85535c1b720b.pdf?index=true
    • https://6531bc15-dda3-4405-9f59-5e66fa775027.filesusr.com/ugd/69695d_491c06d2477e40b38dad8c7ec78a724f.pdf?index=true
    • https://ff93c2c3-b335-4ed3-a943-d9fb93e2f994.filesusr.com/ugd/6cf0f5_cde1440b102448278413412b8615133d.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0450/3791/2214/files/lab_safety_signs.pdf
    • https://cdn.shopify.com/s/files/1/0438/4368/2469/files/bebitod.pdf
    • https://cdn.shopify.com/s/files/1/0483/7890/4729/files/plane_games_unblocked_hacked.pdf
    • https://cdn.shopify.com/s/files/1/0437/6343/3629/files/codigos_para_control_universal_isel.pdf
    • https://cdn.shopify.com/s/files/1/0428/3600/0931/files/lubol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008b8d.bin
0e23df1af3e41e68f16591286b5906d96c080816e94700f1d00ec627ff4b78c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B8D 5040 bytes
font_01_sfnt_off00009ca2.bin
03483ff0e84ab08fdfa93fe4a45e237f69f8f2a7e2b8fd01409830e45d7f5d00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CA2 2208 bytes
font_02_sfnt_off0000a63b.bin
57f23f3c6957e1de5c7ade834771af7e96a0f670bbf161563f43c85cc9f888d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA63B 13016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.