Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8a896bafb03db04…

MALICIOUS

PDF

35.1 KB Created: 2020-09-03 00:38:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 571d4a084b10b33f90a5658a581b613e SHA-1: 413aa13e4c12c55358686e025f8ba142afba156f SHA-256: c8a896bafb03db04506c068591cc6b8c2ae0dd9d1024ac1ef63578c3e31d413c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=abstruse+information+crossword+clue'. The document body, though heavily obfuscated, appears to contain this URL and other benign-looking PDF links, suggesting a lure to a malicious site disguised as a link farm. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=abstruse+information+crossword+clue
    • https://static.usrfiles.com/ugd/55f640_80649cece100426195d58bb910a7674e.pdf
    • https://static.usrfiles.com/ugd/b3bc21_ab2b6447c7c9439abac501168d846fef.pdf
    • https://static.usrfiles.com/ugd/493135_a6c92449fc7b4e5d913ff5bb93827041.pdf
    • https://static.usrfiles.com/ugd/7ea8bb_7398d8ceeb9540078082c5c20e5075aa.pdf
    • https://static.usrfiles.com/ugd/cfbfd2_dbf02a2010984c37842df08de63d2f2a.pdf
    • https://cdn.shopify.com/s/files/1/0429/2273/7820/files/chelsea_vs_arsenal_europa_finals.pdf
    • https://cdn.shopify.com/s/files/1/0462/2739/0615/files/technical_analysis_patterns_cheat_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0433/9784/1054/files/nero_9_essentials.pdf
    • https://cdn.shopify.com/s/files/1/0430/9522/8565/files/89680837850.pdf
    • https://cdn.shopify.com/s/files/1/0429/6127/2983/files/responsive_table_email_template.pdf
    • https://cdn.shopify.com/s/files/1/0434/0131/4456/files/diablo_2_higher_resolution.pdf
    • https://cdn.shopify.com/s/files/1/0434/3260/7894/files/cattell_16pf.pdf
    • https://cdn.shopify.com/s/files/1/0435/3540/1111/files/aaj_tak_app_kare.pdf
    • https://cdn.shopify.com/s/files/1/0429/5933/9679/files/thalamus_and_hypothalamus.pdf
    • https://cdn.shopify.com/s/files/1/0431/7020/1760/files/bowigogutonixafesorip.pdf
    • https://cdn.shopify.com/s/files/1/0432/0660/7012/files/povokuvexonigem.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a94.bin
1d4ac1cce5539f219b22fea49e7c5785bc97519dfa07229e51db33cb67fb7411		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A94 5388 bytes
font_01_sfnt_off00005cdb.bin
3837c72a836a9eed107933e2c9f5a5395ad69e96da7cb85666c56aa001ce90ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CDB 10072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.