Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccfe402e13b34f13…

MALICIOUS

PDF

48.1 KB Created: 2020-08-07 06:11:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f233f9b70d36ea6374a3c144018ddca SHA-1: b4903ab659d7821173efe7f1f5e6c89a7b82840f SHA-256: ccfe402e13b34f138bffe844740a89b5e9f4b25a9a03ac081c170a6b1e6f2645
208 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple links, including one to a known malicious redirector, and is part of a link farm designed to improve search engine rankings for malicious content. The document body and heuristics indicate social engineering lures for downloading files, installing browser extensions, and using remote support tools. The primary malicious URL identified is https://ttraff.com/pify?keyword=pdf+to+word+converter+free+trial, which is likely used to deliver a secondary payload.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=pdf+to+word+converter+free+trial
    • http://files.jasminecwilliams.com/uploads/1/3/2/6/132681033/wasujenujuduju.pdf
    • http://juxazevuf.vmwarevelocity.com/uploads/1/3/2/7/132710712/bopofilujiginor.pdf
    • http://files.vukafitness.com/uploads/1/3/1/4/131437848/bbcd391cd40f98f.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nasodidupafulad.pdf
    • https://cdn.shopify.com/s/files/1/0431/7272/4897/files/90282091497.pdf
    • https://cdn.shopify.com/s/files/1/0431/8671/6830/files/jusosakavulafoxakig.pdf
    • https://cdn.shopify.com/s/files/1/0429/5812/7270/files/kupejipitalunikumuruwa.pdf
    • https://cdn.shopify.com/s/files/1/0427/6961/2966/files/ford_8000_tractor.pdf
    • https://cdn.shopify.com/s/files/1/0431/7229/8918/files/solid_converter_v9.pdf
    • https://cdn.shopify.com/s/files/1/0434/4584/6168/files/onan_microquiet_4000_manual.pdf
    • https://cdn.shopify.com/s/files/1/0434/2287/5797/files/physiology_book_in_bengali.pdf
    • https://cdn.shopify.com/s/files/1/0431/9395/8560/files/bosques_humedos_tropicales.pdf
    • https://cdn.shopify.com/s/files/1/0437/1772/2280/files/ar_magazine_loader.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000736f.bin
9a9fc48f6dc3db7f8f64a6c02ca264c889adcc0deea2207335709f9cf449f39b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x736F 4780 bytes
font_01_sfnt_off000083c4.bin
b417043f6464733975e6ba6d6eb15e6f84a594739f204b8f323916a18a2681bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83C4 9964 bytes
font_02_sfnt_off0000a5d5.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5D5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.