Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1fdda8ee71badad…

MALICIOUS

PDF

44.5 KB Created: 2020-09-05 13:10:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45f5222b5a7c5cd2bf582159f4bdf9b5 SHA-1: ed49681e4fa5f2daf4e23134d9fb634e7d845656 SHA-256: c1fdda8ee71badad74f1b8eed1a0a4b3d18431199645336f03ce705486e0c2e2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous embedded links, with a critical heuristic identifying a malicious redirector. The document body, though heavily obfuscated, contains text related to 'coloring sheets' and includes the malicious URL. The presence of a link farm suggests an attempt to distribute malicious content or engage in SEO poisoning. The primary malicious URL is https://ttraff.club/wix?keyword=cool+car+coloring+sheets.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=cool+car+coloring+sheets
    • https://cdn.shopify.com/s/files/1/0430/7704/2325/files/fasofubotufazazonoz.pdf
    • https://cdn.shopify.com/s/files/1/0465/5362/8830/files/masoxaduguwi.pdf
    • https://cdn.shopify.com/s/files/1/0438/2123/6381/files/lufusaresademi.pdf
    • https://static.usrfiles.com/ugd/defcb2_55e738444a62472b91588d31f69ff5a9.pdf
    • https://static.usrfiles.com/ugd/34e21e_2b1d517e13354f9191d6d84582ccf37f.pdf
    • https://static.usrfiles.com/ugd/221f3a_3d8709a649cd4b279d126af6f702bf5e.pdf
    • https://static.usrfiles.com/ugd/7a11b0_96db9b5a15cf4585ba830c2633f0dec5.pdf
    • https://static.usrfiles.com/ugd/764aaa_1e9bae4ffbcb47c2a2415511c69be426.pdf
    • https://cdn.shopify.com/s/files/1/0433/9207/3895/files/78985489659.pdf
    • https://cdn.shopify.com/s/files/1/0436/4691/0624/files/anti_plagiarism_software_free_for_thesis.pdf
    • https://cdn.shopify.com/s/files/1/0431/2412/9946/files/88518003625.pdf
    • https://cdn.shopify.com/s/files/1/0434/0744/2072/files/basics_of_civil_engineering_drawing.pdf
    • https://cdn.shopify.com/s/files/1/0432/0785/2192/files/zebebijurubatixot.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007068.bin
500797d95f0d4061419dd7b4149ef54af91a45f04620d7045c64c76fbfff1478		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7068 4968 bytes
font_01_sfnt_off00008140.bin
7ab9fdaf6392f8b184dcb1ae73696abe86f5d901b2b99b9125dd949515441ec9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8140 10548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.