Malicious PDF — malware analysis report

Static analysis result for SHA-256 c46ba30ec1198ea4…

MALICIOUS

PDF

64.4 KB Created: 2020-09-01 07:46:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 647eafd7abd29444a02f4a9503bc50b2 SHA-1: dd80692c48233feb4d2875f2417b87a18a6e9418 SHA-256: c46ba30ec1198ea428b97f2b49f6cf0e8ed1b4ca8aabcbf8b2e74453359a134b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'https://ttraff.com/wix?keyword=apache+poi+3.+9+jar+free'. Additionally, it exhibits characteristics of a PDF link farm, embedding numerous external links, with the primary one leading to a redirector. The document body, though heavily obfuscated, contains the same URL, reinforcing the malicious intent. The primary attack pattern involves luring the user to click the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=apache+poi+3.+9+jar+free
    • https://static.usrfiles.com/ugd/65b209_0ed1f1a8e6ed4cf2864f596e9fc61f38.pdf
    • https://static.usrfiles.com/ugd/865d50_3cd6aa9e78624716a706b771a8671827.pdf
    • https://static.usrfiles.com/ugd/dfb5f8_6b8ade08ee9e4216a3140c5127182bbf.pdf
    • https://static.usrfiles.com/ugd/4bb894_716f9256230049d58aa950d4556d2599.pdf
    • https://cdn.shopify.com/s/files/1/0431/4077/6090/files/72873846066.pdf
    • https://cdn.shopify.com/s/files/1/0434/7016/0032/files/25003017742.pdf
    • https://cdn.shopify.com/s/files/1/0429/6998/9279/files/75702629566.pdf
    • https://cdn.shopify.com/s/files/1/0440/6021/3398/files/sudepivosebevawizuruj.pdf
    • https://cdn.shopify.com/s/files/1/0431/6764/5852/files/lasers_and_feelings_character_sheet.pdf
    • https://static.usrfiles.com/ugd/6f9b04_4f757dd4579d4d4bb45930e5181120c5.pdf
    • https://static.usrfiles.com/ugd/cbe7f7_01956703fc444d7392aa073dfc069e2b.pdf
    • https://static.usrfiles.com/ugd/07e02c_4a17793e2d2646af8c65fc1d6b1c4039.pdf
    • https://static.usrfiles.com/ugd/b8c837_d46dfc5edf7f4833a626abf19ee6e198.pdf
    • https://static.usrfiles.com/ugd/b8c837_9739dc1acc38414c9df0e5c4031d5b43.pdf
    • https://cdn.shopify.com/s/files/1/0433/3076/4968/files/kaspersky_antivirus_2018_with_crack.pdf
    • https://cdn.shopify.com/s/files/1/0432/3000/3355/files/68733930219.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b4e4.bin
324784add717f769873085f9b53159663e71c34e0006bc8936808ebee5ec3817		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB4E4 5312 bytes
font_01_sfnt_off0000c6fb.bin
02b19816245b1b506e68db8b05a717cc6c1b5ac18e505052d9821a95788db555		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC6FB 14964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.