Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7c5670c8b790ef6…

MALICIOUS

PDF

46.6 KB Created: 2020-09-04 06:39:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8af40f2fc0b38a437f5eae14cc3623d5 SHA-1: b0777bc238e65619c8b636d4f7feff4897b63813 SHA-256: b7c5670c8b790ef6fbb4b07b6085ae5077d0977f024a365f7e5653421a6fd45a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm designed to direct users to a malicious redirector. The primary malicious URL identified is https://ttraff.me/wix?keyword=augmenter+resolution+photo+android. While many other URLs are present, they appear to be part of the link farm and are labeled as confirmed benign.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=augmenter+resolution+photo+android
    • https://static.usrfiles.com/ugd/b8c837_51de7105e05e4e798e6da468956b3eb4.pdf
    • https://static.usrfiles.com/ugd/f96b02_af4cdbc649bd45a1981ae85dfa38b37a.pdf
    • https://static.usrfiles.com/ugd/46429b_01654a771db94d7aae230995696aeef4.pdf
    • https://cdn.shopify.com/s/files/1/0431/3396/0341/files/rakexozese.pdf
    • https://cdn.shopify.com/s/files/1/0432/2941/3544/files/nokuzobotudoteko.pdf
    • https://cdn.shopify.com/s/files/1/0437/5930/4865/files/anna_riva_power_of_the_psalms.pdf
    • https://static.usrfiles.com/ugd/9edd50_99c8d1f134cd4e118aed17cc1586aa64.pdf
    • https://static.usrfiles.com/ugd/808d8c_bc7e05bd5e8847c1a6eb92b3d3b1d6f2.pdf
    • https://static.usrfiles.com/ugd/97634b_9d7eda9448254492b5daa954e45b3461.pdf
    • https://static.usrfiles.com/ugd/5ea4d5_f74ade4217f248c9985cb11edd1bfc25.pdf
    • https://cdn.shopify.com/s/files/1/0436/0319/8116/files/basic_bodice_block_pattern_drafting.pdf
    • https://cdn.shopify.com/s/files/1/0432/6490/1270/files/klasifikasi_jamur_basidiomycota.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057f3.bin
6d291442e932b8ab522830765835129425506e8617e69876efcdfea9887a1286		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57F3 5360 bytes
font_01_sfnt_off000069fb.bin
e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69FB 1800 bytes
font_02_sfnt_off00007289.bin
37eb75f186dc6fbc73336561c0318a93597710650e661d4e75ba43eafbac1043		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7289 11164 bytes
font_03_sfnt_off00009778.bin
531e37f64a2e7dc3bfb257675d9e6c644c7b1597f33ba9a969cd005a7ed65660		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9778 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.