Malicious PDF — malware analysis report

Static analysis result for SHA-256 c094eadf1d0db093…

MALICIOUS

PDF

43.9 KB Created: 2020-09-10 08:01:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b1378fdee6653f8eaf314d079eb8c1e SHA-1: f4bf7f7fe0e74d4a257210111290d6ae36867ff6 SHA-256: c094eadf1d0db09323eae3a8cf2f0c6a3954f083a7521caf00021dacc5d87dd7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a domain known for redirecting to malicious content. The primary malicious URL identified is ttraff.me, which is used in conjunction with keywords suggesting a lure for users interested in electronics. The document body, though heavily obfuscated, contains this URL and other PDF links, indicating a link farm strategy to distribute malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=ac+bridge+rectifier+waveform
    • https://static.usrfiles.com/ugd/ade4e6_6db62bc4a581422392dafc0a427310a0.pdf
    • https://static.usrfiles.com/ugd/d5d855_37e14632e28742e9b611f77c76c08fcb.pdf
    • https://static.usrfiles.com/ugd/23e9be_344f388a2582493397fd2572e654722f.pdf
    • https://static.usrfiles.com/ugd/57c819_2b577e8a6961472b80243a35b72a07f4.pdf
    • https://static.usrfiles.com/ugd/45e30f_6dff4cab7a8048e7a9ebd03d4d87258d.pdf
    • https://static.usrfiles.com/ugd/cc15ef_63b9575e36704cc5a6d53958c46be875.pdf
    • https://static.usrfiles.com/ugd/432b07_cde31fcbb1f54cc1b51c7890c04d5309.pdf
    • https://static.usrfiles.com/ugd/7603ae_2270ed33ac504883b73458527ed44274.pdf
    • https://static.usrfiles.com/ugd/b8c837_196c6694c5074fdab78e83b1d9110e4f.pdf
    • https://static.usrfiles.com/ugd/144d27_1e2974d595fa44dcbdfb795221bf50a1.pdf
    • https://cdn.shopify.com/s/files/1/0437/9813/4941/files/fudoxezaxanonojisugosi.pdf
    • https://cdn.shopify.com/s/files/1/0428/3075/8044/files/9805547506.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c38.bin
c8761d8727e6a717d70436dab143999bef4fa436681a85a3eba1749c196da6bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C38 5412 bytes
font_01_sfnt_off00007ea8.bin
af63923495ef67ab1eba3fb2d07e6c50c3f08c887768526133cb8eae14fc4c33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EA8 10540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.