Malicious PDF — malware analysis report

Static analysis result for SHA-256 c658f60aea30b7ca…

MALICIOUS

PDF

33.5 KB Created: 2020-08-23 05:19:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 470c881199747b0aa6ff55843aaf1e71 SHA-1: b5464a021e2c74d62e35a686b23649a0d94183bd SHA-256: c658f60aea30b7ca44fc666bceb455cbca7b1e2d86db7fe4c0990461fa53d34e
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link and a link farm, indicating it's designed to lead users to harmful sites. The document body and embedded links suggest a social engineering lure, prompting the user to install a browser extension or view content, which is a common tactic for credential theft or malware installation. The primary malicious URL identified is ttraff.cc, which is used in conjunction with a lure related to a 'hookah menu design template'.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=hookah+menu+design+template
    • http://xexozavu.immanuellutheranchurch.org/uploads/1/3/0/7/130776885/87dc61a8fb039.pdf
    • http://files.youchoose.eu/uploads/1/3/1/3/131398085/buduxasugodojidekugo.pdf
    • http://files.cottonwoodcreekclothing.com/uploads/1/3/1/3/131381376/4a0e68ff7.pdf
    • http://files.am-ttc.ch/uploads/1/3/1/8/131857270/lalolulamisisesezo.pdf
    • http://verapen.carolduber.com/uploads/1/3/1/3/131384013/72b61bcb8e55135.pdf
    • https://cdn.shopify.com/s/files/1/0437/0595/8565/files/nezisobetavifap.pdf
    • https://cdn.shopify.com/s/files/1/0461/9154/2423/files/nurin.pdf
    • https://cdn.shopify.com/s/files/1/0434/0776/9750/files/dosidavexu.pdf
    • https://cdn.shopify.com/s/files/1/0434/7153/6285/files/puzur.pdf
    • https://cdn.shopify.com/s/files/1/0438/3594/9218/files/66898423322.pdf
    • https://cdn.shopify.com/s/files/1/0433/4472/4133/files/xonivimifojigusuwozitu.pdf
    • https://cdn.shopify.com/s/files/1/0430/2657/9610/files/57126274433.pdf
    • https://cdn.shopify.com/s/files/1/0438/1330/6530/files/nigerian_praise_and_worship_music.pdf
    • https://cdn.shopify.com/s/files/1/0434/0632/7959/files/libro_los_compas_y_el_diamantito_legendario.pdf
    • https://cdn.shopify.com/s/files/1/0436/0926/0190/files/64503958329.pdf
    • https://cdn.shopify.com/s/files/1/0429/3427/2159/files/70856037826.pdf
    • https://cdn.shopify.com/s/files/1/0431/8953/4869/files/topotexevirul.pdf
    • https://cdn.shopify.com/s/files/1/0438/4302/7106/files/mathematical_statistics_with_applications_student_solutions_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/2351/5294/files/sotisavudifamuvuten.pdf
    • https://cdn.shopify.com/s/files/1/0433/9482/6405/files/random_real_address.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0438/4302/7106/files/mathematical_statistics_with_applications_student

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000487f.bin
1d221bd04499bebc565c67c2093c2353cc29541844799b802e9e867330379f66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x487F 5300 bytes
font_01_sfnt_off00005a61.bin
1241bdae0c88fde91a6083042858a33b72bb36eff0f052364cc215ddde93869a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A61 8976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.