Malicious PDF — malware analysis report

Static analysis result for SHA-256 c46482d8a04ba750…

MALICIOUS

PDF

43.7 KB Created: 2020-08-12 05:47:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82aa583abbe2421fdeff8a7027995295 SHA-1: a298a3628a3b806046e8b9b5b1549e8aac060833 SHA-256: c46482d8a04ba750f80212594ff074d6def706d0a60bca77c6abbf88c9e630c5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in

The PDF file contains a large number of embedded links, many of which point to a redirector service (ttraff.cc). The document body, though heavily obfuscated, contains the same URL as the primary redirector. This suggests a link farm or redirection attack designed to lead users to malicious content. The presence of numerous external links, including a redirector, strongly indicates a malicious intent to direct users to potentially harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=analise+de+fofa+pdf
    • http://files.debaerelab.com/uploads/1/3/0/7/130739387/lilonasojokun_jodetonoj_bujetix_lonijuxonif.pdf
    • http://files.ariellejochum.com/uploads/1/3/1/4/131437064/xabuwale_zinepupevovur_zilukaz_sulesurororo.pdf
    • http://files.jameshesla.com/uploads/1/3/2/6/132683289/cc509.pdf
    • https://cdn.shopify.com/s/files/1/0431/6109/2250/files/terisar.pdf
    • https://cdn.shopify.com/s/files/1/0430/7845/1351/files/20545451271.pdf
    • https://cdn.shopify.com/s/files/1/0433/3384/5150/files/nuvusiwifegezazi.pdf
    • https://cdn.shopify.com/s/files/1/0432/7797/5712/files/generalized_anxiety_disorder_adalah.pdf
    • https://cdn.shopify.com/s/files/1/0438/8772/2648/files/gunuvujopadowurowajupol.pdf
    • https://cdn.shopify.com/s/files/1/0433/2240/9125/files/arris_how_to_port_forward.pdf
    • https://cdn.shopify.com/s/files/1/0437/0078/1208/files/sanudukon.pdf
    • https://cdn.shopify.com/s/files/1/0447/8589/3542/files/assimilation_in_phonetics.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6965/files/76588009384.pdf
    • https://cdn.shopify.com/s/files/1/0430/9581/8404/files/bafg_antrag_rlp.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/sosivizugepu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f9e.bin
9eafdbf7b7d48ef68bf1fb696d8755a5775fc64c32609c6d36fa501ee0f93125		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F9E 4928 bytes
font_01_sfnt_off00008075.bin
fdcb680893626d39c84ad24694f032763d23751ca3d19d0b741d7f80f4e8260d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8075 10024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.