Malicious PDF — malware analysis report

Static analysis result for SHA-256 c67fcb64960c744b…

MALICIOUS

PDF

48.3 KB Created: 2020-08-07 15:32:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff33d0371cf5dacd6db9bb9beba6629c SHA-1: f8f7a34cd1ba9f3f1e1cc399da073f05bbd871a9 SHA-256: c67fcb64960c744b89b0d39bc7159cf3ccb084c5c7a7957d5a23d29dd6c9ee9c
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded links, including a critical redirector link to 'ttraff.com'. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' indicates this URL is associated with malicious infrastructure. Additionally, the 'PDF_SEO_LINK_FARM' heuristic identifies a large number of external PDF links, suggesting an attempt to manipulate search engine results or distribute further malicious content. The presence of a 'download button' lure reinforces the malicious intent.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=siklus+hidup+bryophyta+pdf
    • http://files.huecohacienda.com/uploads/1/3/2/7/132712282/9dca8.pdf
    • http://files.pioneervalleytipoff.com/uploads/1/3/1/1/131164130/764b91316a8c0d8.pdf
    • http://files.gcgoldenmemorial.com/uploads/1/3/1/0/131070872/mogusotiraz-gewufesalox.pdf
    • http://files.cosmiccacaompls.com/uploads/1/3/0/7/130738722/buremika.pdf
    • http://files.avid-advocatesforvictimsofimpaireddriving.org/uploads/1/3/1/4/131454012/jixipu.pdf
    • http://files.avid-advocatesforvictimsofimpaireddriving.org/uploads/1/3/1/4
    • https://cdn.shopify.com/s/files/1/0434/2749/6087/files/largest_palindrome_product.pdf
    • https://cdn.shopify.com/s/files/1/0435/6934/8763/files/baker_school_of_aeronautics.pdf
    • https://cdn.shopify.com/s/files/1/0431/1754/3588/files/nibexi.pdf
    • https://cdn.shopify.com/s/files/1/0434/4751/7341/files/vudekogigasegasogusujot.pdf
    • https://cdn.shopify.com/s/files/1/0448/0519/3885/files/anarchy_state_and_utopia_nozick.pdf
    • https://cdn.shopify.com/s/files/1/0436/1843/5229/files/eclipse_solar_e_lunar.pdf
    • https://cdn.shopify.com/s/files/1/0430/3912/9751/files/human_skeletal_anatomy.pdf
    • https://cdn.shopify.com/s/files/1/0436/0595/0626/files/35426037582.pdf
    • https://cdn.shopify.com/s/files/1/0428/1312/8867/files/53901018271.pdf
    • https://cdn.shopify.com/s/files/1/0431/3199/4280/files/51768296201.pdf
    • https://cdn.shopify.com/s/files/1/0428/2456/4902/files/modern_bungalow_house_plans.pdf
    • https://cdn.shopify.com/s/files/1/0433/7860/6229/files/niwazesuz.pdf
    • https://cdn.shopify.com/s/files/1/0429/3738/5123/files/43813162682.pdf
    • https://cdn.shopify.com/s/files/1/0430/9994/7162/files/audit_report_format.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000700a.bin
6f8f86a640a3ed2e81ccc6183bff20eb3a2af0e8ec0a9a4981bd197ed353d18b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x700A 5196 bytes
font_01_sfnt_off000081b0.bin
ee476556d9c03060006b23ef1ef463b2d63b64e3e23708d6ef96107e04298e4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81B0 10924 bytes
font_02_sfnt_off0000a59c.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA59C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.