Malicious PDF — malware analysis report

Static analysis result for SHA-256 cad150da6704efe7…

MALICIOUS

PDF

41.7 KB Created: 2020-08-31 00:03:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5c55fad2f194a452d42360ad32a6e205 SHA-1: 24d8d2193dbb74b11f76e2615c3795319110198c SHA-256: cad150da6704efe7f9ed5c1d53e806b77c64d63f450b7222bf6031744fc8d15b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in T1059.001 PowerShell

The PDF file contains a large number of embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/wix?keyword=diezmillo+de+res+en+ingles', which is flagged as malicious. The presence of numerous links suggests an attempt to direct users to malicious infrastructure, likely for further exploitation or credential harvesting.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=diezmillo+de+res+en+ingles
    • https://static.usrfiles.com/ugd/429b25_ed4e20a4704c4701a5c6d08925422a6d.pdf
    • https://static.usrfiles.com/ugd/5cf23b_0b299fc280f14595a3c9fce6c0e44c98.pdf
    • https://static.usrfiles.com/ugd/33ab24_c0c9d47e692c4660b08658f427f7d2f0.pdf
    • https://static.usrfiles.com/ugd/b47706_adfa55382852422da07682664e084208.pdf
    • https://cdn.shopify.com/s/files/1/0440/1309/3029/files/english_hebrew_interlinear_bible.pdf
    • https://cdn.shopify.com/s/files/1/0461/7705/8969/files/boulevard_of_broken_dreams_acoustic.pdf
    • https://static.usrfiles.com/ugd/ea2f88_d7d6e3bb6505424ea7a42b03ba076d2f.pdf
    • https://static.usrfiles.com/ugd/b8c837_a16ee868ecb245848121c626a9ffde59.pdf
    • https://static.usrfiles.com/ugd/6d59ab_2238723523104c7cb56321c7ef1dca58.pdf
    • https://static.usrfiles.com/ugd/10b11f_ec3525ea4fdf46c88783b6164b260d04.pdf
    • https://static.usrfiles.com/ugd/314c35_744b79915b81430085916f4622a48e04.pdf
    • https://cdn.shopify.com/s/files/1/0430/0885/2117/files/76597185819.pdf
    • https://cdn.shopify.com/s/files/1/0435/8130/9085/files/86464258277.pdf
    • https://cdn.shopify.com/s/files/1/0431/2186/8960/files/41278129418.pdf
    • https://cdn.shopify.com/s/files/1/0435/6653/0721/files/56698344429.pdf
    • https://cdn.shopify.com/s/files/1/0436/8669/0969/files/79701998449.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006631.bin
dc8079582228bb51e977b4e153c19c1f2deb31244354733536081d85b21957be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6631 4984 bytes
font_01_sfnt_off00007715.bin
29707c4217ef78424cfad588edeb2649baddaf3f3ccbd3474558292c246e51e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7715 10236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.