Malicious PDF — malware analysis report

Static analysis result for SHA-256 b57e6f6370a28d90…

MALICIOUS

PDF

44.9 KB Created: 2020-08-31 18:36:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f3a116d4e76ee9396bb01f58de32d20 SHA-1: ccec37f22efd795687408eb39aba2cd8ff7e3fb3 SHA-256: b57e6f6370a28d90f8567042778710968be3f4c63e3c3a9fef60e128c0d6897a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a significant number of embedded links, identified as a 'PDF SEO Link Farm'. One of these links, https://ttraff.com/wix?keyword=command+and+conquer+generals+2+beta, is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to this malicious URL and other benign-looking PDF links, suggesting a deceptive lure. The primary intent appears to be redirecting the user to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=command+and+conquer+generals+2+beta
    • https://static.usrfiles.com/ugd/362633_1ea66eaab0bb4f78a4c1ea445e9aca76.pdf
    • https://static.usrfiles.com/ugd/b8c837_8273f436b3bb4fd29d64bae0d0fce374.pdf
    • https://static.usrfiles.com/ugd/df4650_6c6da2e2f04b4a2e8aeac02edeba0a13.pdf
    • https://static.usrfiles.com/ugd/353d00_9827f3928f0c402f86f635186a6f04f5.pdf
    • https://cdn.shopify.com/s/files/1/0434/5479/1832/files/pdf_file_resize_1_mb.pdf
    • https://cdn.shopify.com/s/files/1/0431/5601/3205/files/gosoviduletumobilojajov.pdf
    • https://cdn.shopify.com/s/files/1/0430/5698/8311/files/dileg.pdf
    • https://cdn.shopify.com/s/files/1/0429/7926/2615/files/best_android_tv_apps_apk.pdf
    • https://cdn.shopify.com/s/files/1/0434/3031/4133/files/98439083676.pdf
    • https://static.usrfiles.com/ugd/8e1900_9dc94508995d451fb1a92a40450588f3.pdf
    • https://static.usrfiles.com/ugd/696b8a_b26ee4b3a68b458387f82d58f98fc8ef.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b60b0c50f844d458b006f84c3d5d206.pdf
    • https://static.usrfiles.com/ugd/73c254_f10744bfd49946ab8ccdbcdbd9bedda4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c15.bin
382cefe793bb5febec5ac85179394ec1c645ffd8aa35e79ff7d0bf2637868e47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C15 11604 bytes
font_01_sfnt_off00007205.bin
c156b89227bbd353c883c480d2926ab102699bef19c5ede7f492743bfefafaf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7205 5564 bytes
font_02_sfnt_off000084c5.bin
bca01527c3c8a8f6286fad6032e0eb294ddcc747ac378bd6e76586623a59a538		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84C5 9824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.