Malicious PDF — malware analysis report

Static analysis result for SHA-256 b966ec61c64eb082…

MALICIOUS

PDF

40.1 KB Created: 2020-09-07 09:38:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89573c88e28eb6ece3df4127d6bba92d SHA-1: 4baa9c1b6ea95fb3efb28c08cfa233298449e88e SHA-256: b966ec61c64eb082dad6862d8a960afe457e20f0cc2947c5012103c03f7a4b74
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a mass external link farm, with many links pointing to benign Shopify URLs. However, one critical link, 'https://ttraff.me/wix?keyword=chamsys+pc+wing+drivers', is identified as a malicious redirector. This suggests the document's primary purpose is to trick the user into clicking this malicious link, likely to download further malware or lead to a phishing page. The document body contains garbled text but includes the malicious URL, reinforcing its role as a lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=chamsys+pc+wing+drivers
    • https://cdn.shopify.com/s/files/1/0430/7664/9121/files/define_mandatory_reporting_care.pdf
    • https://cdn.shopify.com/s/files/1/0430/4220/9945/files/remove_nox_hotbar.pdf
    • https://cdn.shopify.com/s/files/1/0437/4482/1399/files/alter_ego_2_guide_pedagogique_telecharger.pdf
    • https://cdn.shopify.com/s/files/1/0431/8596/3169/files/51715166971.pdf
    • https://cdn.shopify.com/s/files/1/0449/5589/3928/files/tezevudi.pdf
    • https://cdn.shopify.com/s/files/1/0435/9503/8888/files/12071971095.pdf
    • https://static.usrfiles.com/ugd/3fb742_11bb15a78267453689622c9e48bbe7ec.pdf
    • https://static.usrfiles.com/ugd/eaf48f_eb2d0e7983a14100b8f3a0600de9a0f4.pdf
    • https://static.usrfiles.com/ugd/e745be_6aadd2be3e4f4389aeaf8461c36d7944.pdf
    • https://static.usrfiles.com/ugd/3e5db3_819b05aa3a3b42a2926ccc30dc82c061.pdf
    • https://static.usrfiles.com/ugd/35f767_5bd5e87c023a4cec8fd6fb5fde1d9db3.pdf
    • https://cdn.shopify.com/s/files/1/0432/6604/8164/files/cisco_esa_advanced_configuration_guide.pdf
    • https://cdn.shopify.com/s/files/1/0439/6810/2558/files/64754257016.pdf
    • https://cdn.shopify.com/s/files/1/0431/7921/2959/files/39126776768.pdf
    • https://cdn.shopify.com/s/files/1/0428/4393/0791/files/6853389665.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d6e.bin
6a48c9256615ebd27fde3255135222a1dd9dabf39245b80110af4d881243f9aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D6E 5612 bytes
font_01_sfnt_off00007076.bin
86d45d8a66c1be72a980ed560af990f8aca8131be1dfa36781be6842f643f323		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7076 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.