Malicious PDF — malware analysis report

Static analysis result for SHA-256 b51d1f0a3bd7c4bd…

MALICIOUS

PDF

47.0 KB Created: 2020-09-02 09:02:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8da990bddc69f5723db83e7bbb7a5f86 SHA-1: 1970964b0d75edbf6a0cf5b193bbf749fe9b92c6 SHA-256: b51d1f0a3bd7c4bdb672e39b3797c8ff66911173cb47dddae99204d66e1be1f7
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a critical heuristic indicating it's a malicious redirector link, pointing to 'ttraff.club'. The document body also explicitly requests sensitive recovery information, such as private keys or backup codes, which is a common social engineering tactic. The embedded URL is likely intended to lead the user to a phishing site or to download further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=angular+private+variable+in+template
    • https://cdn.shopify.com/s/files/1/0438/9378/4728/files/nilifukuvabufebewumegeze.pdf
    • https://cdn.shopify.com/s/files/1/0433/3905/5258/files/reading_and_writing_skills_book.pdf
    • https://cdn.shopify.com/s/files/1/0428/2961/1171/files/18370285034.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/vukabisozudetilo.pdf
    • https://cdn.shopify.com/s/files/1/0439/9002/4350/files/8178767038.pdf
    • https://static.usrfiles.com/ugd/756799_3f8ca3bffd3647d38433903f0863a274.pdf
    • https://cdn.shopify.com/s/files/1/0440/0631/0046/files/44330458190.pdf
    • https://cdn.shopify.com/s/files/1/0432/0601/7185/files/courier_final_draft_font.pdf
    • https://cdn.shopify.com/s/files/1/0427/5005/0460/files/16218423584.pdf
    • https://cdn.shopify.com/s/files/1/0435/8871/4653/files/thiruttu_vcd_movies.pdf
    • https://cdn.shopify.com/s/files/1/0429/0579/6774/files/lebedeguporamesadozovefuv.pdf
    • https://static.usrfiles.com/ugd/b8c837_dd3f338279524cbdb4d0238203f1e331.pdf
    • https://static.usrfiles.com/ugd/9904c2_dbe95ab8b7544cb08414844b78069a01.pdf
    • https://static.usrfiles.com/ugd/7041e4_20f7640b5ad748f0a1186e22a8d745ca.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000751c.bin
bd9c7d316d618a82730dec4476a3e68b5d6436cf0992e6ff7955ddf2730feb0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x751C 5152 bytes
font_01_sfnt_off00008698.bin
3e7f086735590fbaeb7848899d6600f50e767790ebc77bf0d99369ab07b7dacf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8698 12332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.