Malicious PDF — malware analysis report

Static analysis result for SHA-256 b99a8399805cadae…

MALICIOUS

PDF

63.9 KB Created: 2020-09-16 19:08:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4cfe983d1f2715dc23c7c2b35025bcb1 SHA-1: 4fa4556452078543f6bf30f01330357563795597 SHA-256: b99a8399805cadae1f8d7937bb78b982b550010b45308ace2a471cdaec38d13b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to domains designed to host SEO-optimized PDF files. One critical heuristic firing indicates a direct link to a known malicious redirector, 'ttraff.me', which is likely used to funnel victims to a phishing or malware download page. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/wix?keyword=toro+tmc+212+manual+del+usuario', reinforcing the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=toro+tmc+212+manual+del+usuario
    • http://files.closeandpaschalauction.com/uploads/1/3/2/3/132303312/finukasuremu_wimulujimuw_valurizewexi_valitu.pdf
    • http://sexubaw.jacksherrydpm.com/uploads/1/3/1/6/131606575/sipozuj_nulidix_bapanowi.pdf
    • http://files.flagstaffpottersguild.com/uploads/1/3/0/8/130814235/rudufijinogupigiw.pdf
    • http://files.aiqcboston.org/uploads/1/3/0/9/130970014/ae3f3e32420.pdf
    • http://kukeba.alexandra-karl.com/uploads/1/3/1/4/131407067/e3d393296b95e.pdf
    • https://75961214-d614-4822-8a32-3cb6c4b2a6b8.filesusr.com/ugd/6846fe_1c8cbef88b4e4b758f415edce641491c.pdf?index=true
    • https://52d2b9e5-13ec-4a6b-8f3c-85192703f808.filesusr.com/ugd/f35da0_29bbc89e843247c2bf9da855b25e4f44.pdf?index=true
    • https://e1751e7f-a46a-4e9a-8295-ea902bd7e176.filesusr.com/ugd/29c71c_67442ed6582345d4992544c6323759a2.pdf?index=true
    • https://f6b2248b-ba04-456b-8337-d138421c2a9a.filesusr.com/ugd/d1c05f_8cb3d7659d424325a2f81d406a11a6b0.pdf?index=true
    • https://3fda3d0b-8d52-4e7a-b46f-53f87ee4b08f.filesusr.com/ugd/e3c460_950110fd23924ad5aac3d987b9d745d6.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0431/9323/7665/files/10930061292.pdf
    • https://cdn.shopify.com/s/files/1/0434/7727/0678/files/systematic_theology_study_bible.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bd15.bin
a224fce969648270f91dc20fa6fcf5a34eb3a5d0d2e46de33255fd0b0fc01600		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD15 5216 bytes
font_01_sfnt_off0000cebf.bin
87eef3ade4c647f73e76e08b1fd7ff5b7cee5006dfbf31f24b6c2b46856858f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCEBF 10504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.