Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1c4c39b0dba11e1…

MALICIOUS

PDF

36.0 KB Created: 2020-08-30 21:57:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a37fb52600d00d861ad84ecbae62d3ec SHA-1: 38e217f74853551c73f75f9112346bc8086ab780 SHA-256: d1c4c39b0dba11e17e4e7294c98d3330d43a0c729a983eb6feb2f31ea7f59d87
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains a critical heuristic indicating it's a malicious redirector, pointing to 'ttraff.com'. The document body, though heavily obfuscated, contains the same URL, suggesting a lure. The file also exhibits characteristics of a link farm, with numerous embedded links to external PDFs, likely to obscure the malicious redirector. The presence of a 'download button' heuristic further supports a malicious workflow.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=nina+hartley%2527+s+guide+to+anal+sex
    • https://static.usrfiles.com/ugd/cf79db_a0666c32d6e245c1800429ad6a6b8b10.pdf
    • https://static.usrfiles.com/ugd/bdeb4c_fb16110a2a2f494394580c8e5b3636d1.pdf
    • https://static.usrfiles.com/ugd/b8c837_b617370c43ad47229a90c2b3610463ac.pdf
    • https://static.usrfiles.com/ugd/850f07_f615f3b05209468d875ffe36c4293004.pdf
    • https://static.usrfiles.com/ugd/b8c837_9e3b4622226e425fbc95cc7d4cf7127b.pdf
    • https://cdn.shopify.com/s/files/1/0428/9724/4316/files/poxapovonojo.pdf
    • https://cdn.shopify.com/s/files/1/0431/2668/5858/files/36554006970.pdf
    • https://cdn.shopify.com/s/files/1/0438/1917/2002/files/kumifafutoserapanamaz.pdf
    • https://cdn.shopify.com/s/files/1/0459/6698/3335/files/adwords_exam_questions_and_answers.pdf
    • https://cdn.shopify.com/s/files/1/0432/8387/3942/files/install_cuda_10._0.pdf
    • https://static.usrfiles.com/ugd/cbdbb6_b308fdc3d0584de3b220975008075444.pdf
    • https://static.usrfiles.com/ugd/3bca44_2f728a4bf36543bd901615ff6a77168b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004826.bin
91de3eafe44317d15dc62d0322792f50d70b03441e95ba0d424c41f3e3c5adea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4826 5260 bytes
font_01_sfnt_off00005a10.bin
1cf0abc2bbb20961cd8cb784774a1e2f4ade562d8dbb27370bc3582bcfe0bf64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A10 12932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.