Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca7e3b414845469b…

MALICIOUS

PDF

42.3 KB Created: 2020-06-08 11:36:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65cd95e8a66b29bfcbac51a99cf8310c SHA-1: c4572251485697b907c1138bcb3ca6394a4ea4f9 SHA-256: ca7e3b414845469bc71cc3f9600522953044d4ab3bcc557fffface1315ac91b3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains numerous embedded links, a common technique for SEO poisoning and redirecting users to malicious sites. One critical heuristic firing indicates a link to known malicious redirector infrastructure at 'ttraff.com'. Another critical heuristic identifies a PDF link farm hosted on '3qe.undesirable.us', suggesting a coordinated effort to distribute malicious content. The document body, though heavily obfuscated, contains references to 'The Voice episode guide' and the 'wkhtmltopdf' tool, likely a lure to disguise the malicious intent of linking to external, potentially harmful, content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wp3?keyword=the+voice+episode+guide#the+voice+episode+guide
    • http://3qe.undesirable.us/uploads/1/3/0/4/130476650/gopixari-temar.pdf
    • http://cevapciciusa.com/uploads/1/3/1/3/131398252/e634bb9b9.pdf
    • http://porter-briggs.com/uploads/1/3/0/2/130272242/7085253.pdf
    • http://cyanedoriginals.com/uploads/1/3/0/6/130621642/nidabamutasif-roworipuj.pdf
    • http://rapidresponseplumbinginc.com/uploads/1/3/1/4/131437573/9d0732326f5ce.pdf
    • http://ecolemming.org/uploads/1/3/1/4/131407901/3884880.pdf
    • http://lajanette.com/uploads/1/3/0/7/130740180/7098a8.pdf
    • http://rapidresponseplu
    • https://xepulufinupo.files.wordpress.com/2020/06/sutuwipaguwurisi.pdf
    • https://xarinigeted.files.wordpress.com/2020/06/kixoxunirugisozeb.pdf
    • https://kupekitekef306591479.files.wordpress.com/2020/06/sikevilaxuvux.pdf
    • https://womerevem.files.wordpress.com/2020/06/9662363273.pdf
    • https://miwajanawal.files.wordpress.com/2020/06/lixatifudasekuw.pdf
    • https://noxepirowako.files.wordpress.com/2020/06/tuwazewogonokewixep.pdf
    • https://polobepokug.files.wordpress.com/2020/06/5631508519.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007af7.bin
98527c582539c7934b41bf3f688158ee0853a79a17b68feac437c35f0b1aff2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AF7 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.