Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6866af69006fabe…

MALICIOUS

PDF

42.7 KB Created: 2020-08-29 23:30:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4bbdcb02575875cae9a26788b009be14 SHA-1: 6dffeeb340c20e224c381c5be124040ae1d6ef01 SHA-256: b6866af69006fabe9dbbd6e9f383a2087d02b1a30117b2baaa0acd278d8c2bcb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a link farm designed to appear as legitimate driver downloads, specifically mentioning 'Dell inspiron m5030 drivers'. The primary malicious link, https://ttraff.cc/wix?keyword=dell+inspiron+m5030+drivers, is identified as a redirector to malicious infrastructure. The document body is heavily obfuscated but contains this primary malicious URL and numerous other PDF links, indicating a link farm for SEO manipulation or traffic redirection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=dell+inspiron+m5030+drivers
    • https://cdn.shopify.com/s/files/1/0452/5568/8354/files/orari_messe_casinalbo_di_formigine.pdf
    • https://cdn.shopify.com/s/files/1/0454/7146/5630/files/rakaxagif.pdf
    • https://cdn.shopify.com/s/files/1/0433/7650/9080/files/926604791.pdf
    • https://static.usrfiles.com/ugd/b8c837_368b52a6506f474486ead39902221bed.pdf
    • https://static.usrfiles.com/ugd/83b1b3_34c5142796a64b60b04bf5d4bd3c10e9.pdf
    • https://static.usrfiles.com/ugd/b8c837_98fc5aa7399b4310be49e70d6ba902a8.pdf
    • https://static.usrfiles.com/ugd/856cea_2df91311f1cb4ca9bd0f92d31f38e74d.pdf
    • https://static.usrfiles.com/ugd/b8c837_a84918c81c784b88a640d33f38f09a31.pdf
    • https://cdn.shopify.com/s/files/1/0434/0364/0984/files/84353600270.pdf
    • https://cdn.shopify.com/s/files/1/0428/4373/4172/files/fall_2016_tv_schedule.pdf
    • https://static.usrfiles.com/ugd/b8c837_758a16ec0518498996994908b41602d4.pdf
    • https://static.usrfiles.com/ugd/2f3ac6_af9b1e42c1044da5ad7195e0f2e7f826.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ca2.bin
f30cae31c742f15cfb4b6663c73a383c6d983b6cdf9dab446f85f304e7d42ecb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CA2 5384 bytes
font_01_sfnt_off00006ee7.bin
c5e02135c94a5a505df97cd8c0444e8dea2e5fd70903d0dd9338cf886a59d0f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EE7 15404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.