Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6db0469805dd754…

MALICIOUS

PDF

32.5 KB Created: 2020-08-23 14:51:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49c58c689d25683b4683cba6ed348791 SHA-1: 441e3b2d0b090a7cf2569d249001f34d80cd9d74 SHA-256: b6db0469805dd7540850fecc527ec56b9c7ac3af0ab08fb46a5f3bd20c47fd5f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'ttraff.cc'. The document body, though heavily obfuscated, contains text related to 'Busselton water annual report' and the malicious URL. The presence of a link farm with numerous PDFs hosted on Shopify, combined with the malicious redirector, suggests a phishing or scam attempt to redirect users to malicious content. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=busselton+water+annual+report
    • http://files.boltonwilliams.com/uploads/1/3/1/3/131380005/gutadisirojuwo-wifamukuba-givigureburul-juxaw.pdf
    • http://files.kahulapiko.com/uploads/1/3/1/4/131453588/parosaso_sidana.pdf
    • https://cdn.shopify.com/s/files/1/0434/0659/0106/files/scope_resolution_operator.pdf
    • https://cdn.shopify.com/s/files/1/0438/6842/2309/files/android_9_pie_update_pixel_2.pdf
    • https://cdn.shopify.com/s/files/1/0429/9823/5289/files/tulofi.pdf
    • https://cdn.shopify.com/s/files/1/0433/5144/1560/files/7360904662.pdf
    • https://cdn.shopify.com/s/files/1/0431/3609/0267/files/70901541356.pdf
    • https://cdn.shopify.com/s/files/1/0432/6581/8789/files/bhagavad_gita_kannada_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/3001/9229/files/rededoxokedosapizorizuxu.pdf
    • https://cdn.shopify.com/s/files/1/0430/5590/6970/files/tigepibafoberuxeg.pdf
    • https://cdn.shopify.com/s/files/1/0432/0064/3236/files/daxazebox.pdf
    • https://cdn.shopify.com/s/files/1/0429/7129/9999/files/sofuwuto.pdf
    • https://cdn.shopify.com/s/files/1/0440/9311/2472/files/streamline_english_connections.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000442e.bin
3c2cbb76006bc826ab4fb56ad636b9714c25ec22bd84f2ed4303377cfb191777		 pdf-font-stream PDF embedded font (sfnt) at offset 0x442E 4956 bytes
font_01_sfnt_off00005527.bin
3cb0902449086fba109cf402259c81b5314ce8f140d05eb31093cd69468f023a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5527 9572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.