Malicious PDF — malware analysis report

Static analysis result for SHA-256 c85854ffe0caf80c…

MALICIOUS

PDF

40.8 KB Created: 2020-09-16 20:48:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 616b0f06283edd83430f90293b3e352f SHA-1: bbfe415082a5fede4c0bce0103d4b6e113d6bc04 SHA-256: c85854ffe0caf80cbd26f6672ca7d04a4e73b4ec686c719168813dc578ecfcc4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded links, with a critical heuristic firing indicating it's a malicious redirector. The document body, though partially corrupted, contains text suggesting a lure for a 'Kenmore front load washer service manual'. The primary malicious link, https://ttraff.link/wix?keyword=kenmore+front+load+washer+service+manual, is likely intended to lead the user to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=kenmore+front+load+washer+service+manual
    • http://files.cbenglish.com/uploads/1/3/2/7/132712514/xaferufedado.pdf
    • http://files.dylanhurwitz.com/uploads/1/3/0/7/130739699/migizod-supurelejevibi.pdf
    • http://files.kaycorcoran.com/uploads/1/3/0/7/130776655/bavexoliwekow.pdf
    • https://5c79c7e4-a539-4b51-bb21-b67b91ee773c.filesusr.com/ugd/b463f2_ede72a790a7c4692b36579b426dac976.pdf?index=true
    • https://cf625123-db2e-4e34-9541-701683b6dbb4.filesusr.com/ugd/b42fd6_9dfd53c295b74723a2e0aad6b25bc92d.pdf?index=true
    • https://89649f9a-db01-47d8-ad0c-ab6b2baf5d86.filesusr.com/ugd/a4d998_1f4f8c87004946b6a589dff777ebfaa7.pdf?index=true
    • https://479e97e2-b005-4d03-9a4c-3ed510d2c1ab.filesusr.com/ugd/9df9d6_c764321f4b72419ba7e81ff15ae8197e.pdf?index=true
    • https://ede98dc3-75c8-4de8-94f2-b79f33adb838.filesusr.com/ugd/0010c8_36997453896a4bb7ab950576b15ddcf9.pdf?index=true
    • https://e4f08531-2a92-49dd-8048-fb24890c7df4.filesusr.com/ugd/0cd019_8e1324c144d74e4b8f114dd1b4ce0253.pdf?index=true
    • https://35000860-c919-494e-a344-c9937816e008.filesusr.com/ugd/008a9f_c4c60cb8710a416ba9d2d822cd867049.pdf?index=true
    • https://6966cc20-e605-4c23-8f06-78ed1bd5af71.filesusr.com/ugd/7be1cd_5266a077832645a0a862ac9619afe699.pdf?index=true
    • https://e96b4e5b-3f75-457b-bee2-0d5d60ac0b2b.filesusr.com/ugd/d31907_bf5f22354d69480eabbe34740b0112bc.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000612c.bin
3cdb3e7ea690b7a6f2684465ea50f73a5fbbb670023c8debf6149192c0cc8461		 pdf-font-stream PDF embedded font (sfnt) at offset 0x612C 5380 bytes
font_01_sfnt_off0000736c.bin
d08aab08fd136e182ee1639898764010c73701833a28da9eff8b04e4b4aa07bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x736C 10340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.