Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3b084af24383232…

MALICIOUS

PDF

42.3 KB Created: 2020-09-02 08:58:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 406880fd94087f909f21a4b390ef4845 SHA-1: 6ac6160739a5fb0aee3b83b29dc3eb4d9610bf7a SHA-256: c3b084af243832321aee1d6837a21864598cc3bfb2583ddd5c18fcccbd48f787
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, 'https://ttraff.club/wix?keyword=somerset+dough+sheeter+maintenance', is flagged as a known malicious redirector. The presence of a link farm and a malicious redirector suggests the document is intended to lure users to malicious websites, likely for phishing or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=somerset+dough+sheeter+maintenance
    • https://cdn.shopify.com/s/files/1/0434/4758/2870/files/alt_numpad_codes.pdf
    • https://cdn.shopify.com/s/files/1/0431/7816/4387/files/jekemutiwavonoxesulugareb.pdf
    • https://cdn.shopify.com/s/files/1/0430/7196/3296/files/60952241196.pdf
    • https://cdn.shopify.com/s/files/1/0428/4373/4182/files/myers_cavatina_guitar_sheet_music.pdf
    • https://cdn.shopify.com/s/files/1/0460/3235/5492/files/83976297040.pdf
    • https://cdn.shopify.com/s/files/1/0463/0387/1138/files/43382431116.pdf
    • https://cdn.shopify.com/s/files/1/0438/4374/7990/files/fudumawowikesubafanuta.pdf
    • https://cdn.shopify.com/s/files/1/0431/7433/0517/files/suntrust_bank_statement.pdf
    • https://cdn.shopify.com/s/files/1/0428/5943/0054/files/73092327595.pdf
    • https://cdn.shopify.com/s/files/1/0428/2541/6860/files/kansas_city_news_reporter_salary.pdf
    • https://static.usrfiles.com/ugd/24d943_218fb0e00f7b4363b840ea7493d48f2f.pdf
    • https://static.usrfiles.com/ugd/eed56f_2971fdb1352f48fe90f2e1a706f2ab45.pdf
    • https://static.usrfiles.com/ugd/ae15ca_3c1bd41d89a449a5a4da9492fc591a0f.pdf
    • https://static.usrfiles.com/ugd/f1d680_72925531a26c42d6aec6b243d6b66759.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006201.bin
a1546a5e3b94c05c6e287582adfb78095b908be668dc263b1f8d91089dad724f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6201 5424 bytes
font_01_sfnt_off00007441.bin
03b96847ffed6b92bf7dc4da9477abe006cabcbffb2420697be5aa0a9776c827		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7441 12764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.