Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccd895831bd90c1c…

MALICIOUS

PDF

42.8 KB Created: 2020-08-21 22:47:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43b3860cdbda7a43b143b21f2893bfbc SHA-1: 3ff82e7e3a687358279c29c3046e92da0f77c69e SHA-256: ccd895831bd90c1c9c42c6abf1ca3e2f139acbdea10a56d3d650c4996a8e86d3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.com, which is disguised as a TP-Link router manual. This redirector likely leads to further malicious content or exploits. The document also exhibits characteristics of a link farm, embedding numerous links to other PDFs, potentially for SEO manipulation or to spread malicious content across multiple benign-looking domains. No scripts were extracted, but the primary malicious activity is the redirection to the ttraff.com URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=tp+link+archer+c2+manual
    • http://files.wbabaseball.com/uploads/1/3/1/4/131406604/nixuwadiw.pdf
    • http://files.spjayaraj.com/uploads/1/3/1/6/131606349/03b034ea6e56a0.pdf
    • http://files.risingstarstx17u-girlsbasketball.com/uploads/1/3/1/1/131163740/db2bacd29ec9290.pdf
    • http://files.forventuretravel.com/uploads/1/3/1/0/131069875/299965292a2fd5.pdf
    • http://files.newellbooks.com/uploads/1/3/0/8/130813797/vapujulo_rajeker_vewidufe.pdf
    • https://cdn.shopify.com/s/files/1/0432/2328/5928/files/banalofodubafekimetuta.pdf
    • https://cdn.shopify.com/s/files/1/0432/9196/7652/files/auditoria_administrativa_benjamin_franklin.pdf
    • https://cdn.shopify.com/s/files/1/0451/1108/3160/files/cengage_series_maths.pdf
    • https://cdn.shopify.com/s/files/1/0430/6619/6122/files/generos_literarios_de_la_biblia.pdf
    • https://cdn.shopify.com/s/files/1/0428/5281/0911/files/tajotipapatuposi.pdf
    • https://cdn.shopify.com/s/files/1/0435/3874/3450/files/xosigebepedubagirabe.pdf
    • https://cdn.shopify.com/s/files/1/0436/1004/6621/files/kubofizikozabi.pdf
    • https://cdn.shopify.com/s/files/1/0434/4607/5542/files/can_i_tink_lyrics.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006100.bin
c6c0c5e1de8c24e919387bd6e6d95ee69a049156cdcbd0b55fbac44cb576410d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6100 5140 bytes
font_01_sfnt_off00007240.bin
95954010f8092fa84e967356a06435c39535f67ef6169ea9acc74b9f3b4041b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7240 1704 bytes
font_02_sfnt_off00007aba.bin
3ffd7586b64ec8a183dcdb3ae6da9ad09a1112f3c9e1b635bc8b75d2bbbedc35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7ABA 10324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.