Malicious PDF — malware analysis report

Static analysis result for SHA-256 bab848b10fa17b5a…

MALICIOUS

PDF

53.5 KB Created: 2020-08-31 14:15:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4fc0f7c8769bf4687940f2494f231ec6 SHA-1: edd9d4b62f13788b44fa2d288c2d83353210c28e SHA-256: bab848b10fa17b5a82e3fad4b3f9c1596199820560bf0fd331fa0fd5b9eedb36
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, a technique often used for SEO poisoning or to redirect users to malicious sites. One critical heuristic identified a link to a known malicious redirector, ttraff.com, which is further disguised with a keyword related to 'adhyatma books in kannada pdf'. The document body, though heavily obfuscated, also contains this URL and other PDF links, reinforcing the attack pattern of luring users to click malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=adhyatma+books+in+kannada+pdf
    • https://static.usrfiles.com/ugd/b8c837_232b2ce46f504b449e36880dc647fa5a.pdf
    • https://static.usrfiles.com/ugd/df4650_14fdfb27540445d0be95e3fb8865b48b.pdf
    • https://static.usrfiles.com/ugd/b8c837_5a77fbba861a436f9ccbe225fd91bce4.pdf
    • https://static.usrfiles.com/ugd/b77b08_e461b7e065e24985a0259ba140e87ffe.pdf
    • https://static.usrfiles.com/ugd/b8c837_dbd9e75d778640b4b357b5f909b12d62.pdf
    • https://cdn.shopify.com/s/files/1/0430/8667/6117/files/morofeka.pdf
    • https://cdn.shopify.com/s/files/1/0431/3664/7317/files/sisenuzuwawuzejasusores.pdf
    • https://cdn.shopify.com/s/files/1/0431/4179/1895/files/rubidenamaparupisajix.pdf
    • https://cdn.shopify.com/s/files/1/0431/0935/1578/files/51608005827.pdf
    • https://cdn.shopify.com/s/files/1/0437/6431/8359/files/wowivuxo.pdf
    • https://static.usrfiles.com/ugd/b8c837_bc15fbd2af7f40538e429bed6b43baaa.pdf
    • https://static.usrfiles.com/ugd/353d00_074e9ab96ea84f328fbaf448c827ad5d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00006d50.bin
5ee774bb3bdbffee8ff1b9f2949215283c2d9fbd8c678a92c431b5e98b369c6c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6D50 18964 bytes
font_00_sfnt_off00005ae3.bin
4c37db47fdac5d7e672cbc7ea65c7c2f998f3ffb4b40518e3cd99d2c88e21bef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AE3 5448 bytes
font_02_sfnt_off00009854.bin
f921ba34ca8f25277aeaf6a407e290ae9edf36f80ed3b95abce9b2dbc839bcae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9854 15320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.