Malicious PDF — malware analysis report

Static analysis result for SHA-256 c06776aac9bd07d8…

MALICIOUS

PDF

40.6 KB Created: 2020-08-19 09:41:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a725c0dd7dd14324b4fc3680a974bea SHA-1: de23a91a8f1d9121417a89aa271f0d6f476d1036 SHA-256: c06776aac9bd07d82f6ad12b6be8c911207e9f19f64c08f90161167867013ec0
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF document contains a lure for a remote support tool, instructing the user to install or open such software. It embeds a mass of external links, including one to a known malicious redirector at `ttraff.com`. This suggests the document is designed to trick users into visiting malicious sites, potentially leading to further compromise or malware download.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=remote+mouse+for+fire+tv+android+app
    • http://files.edgarsameriks.com/uploads/1/3/1/4/131483209/gaxelemeg-jukiselipuboz-wozifujuma-tapakeled.pdf
    • http://files.designsbycarolann.com/uploads/1/3/0/8/130814513/ac27058e6e8.pdf
    • http://sawixero.artfeltstudio.com/uploads/1/3/0/7/130738546/107337.pdf
    • https://cdn.shopify.com/s/files/1/0449/8993/9871/files/wuwevowexusugid.pdf
    • https://cdn.shopify.com/s/files/1/0428/2672/7580/files/kukusivo.pdf
    • https://cdn.shopify.com/s/files/1/0432/7673/0533/files/xeluselid.pdf
    • https://cdn.shopify.com/s/files/1/0429/0691/0876/files/dasar_dasar_akuntansi_jilid_2.pdf
    • https://cdn.shopify.com/s/files/1/0431/8186/7176/files/dogufeges.pdf
    • https://cdn.shopify.com/s/files/1/0434/0944/0917/files/13414803816.pdf
    • https://cdn.shopify.com/s/files/1/0429/6186/2810/files/wiwolodomezaxexepejok.pdf
    • https://cdn.shopify.com/s/files/1/0438/2598/7734/files/linufodalafirupegumu.pdf
    • https://cdn.shopify.com/s/files/1/0435/1574/0314/files/merujidomawanoj.pdf
    • https://cdn.shopify.com/s/files/1/0429/9456/5271/files/ralofalididamavejev.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061ef.bin
b3336c689ae57c1dcdc733ba7fd8867179c8276df79f4e019cd92b60ee4273d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61EF 5224 bytes
font_01_sfnt_off000073a6.bin
33818bdbbda2bab3ec88f96efe4d5eacdd0cac447c77e4c68f18f2dcff02669e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73A6 9956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.