Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2a99be1fae3c319…

MALICIOUS

PDF

94.6 KB Created: 2020-08-29 06:57:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ba7cde07b8ef8a6c2a1101cb59fe3bc SHA-1: 5ba8ee0740798a011b1a670e458d6df8f7c3d000 SHA-256: d2a99be1fae3c3191207f38436264ce7e4c231d38e052a2eadeb13dac05c902a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a mass external link farm, with one prominent link pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/wix?keyword=paper+towns+subtitles', suggesting a lure to download potentially malicious content. No scripts were extracted, and the PDF structure itself is the primary vector for the attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=paper+towns+subtitles
    • https://cdn.shopify.com/s/files/1/0434/2808/5912/files/36892129349.pdf
    • https://cdn.shopify.com/s/files/1/0435/6213/9816/files/cyberflix_apk_free.pdf
    • https://cdn.shopify.com/s/files/1/0431/4457/7178/files/xutikoko.pdf
    • https://cdn.shopify.com/s/files/1/0433/8778/1287/files/hartshorne_algebraic_geometry_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/5820/8674/files/88778764695.pdf
    • https://cdn.shopify.com/s/files/1/0427/9799/0055/files/vifuzu.pdf
    • https://cdn.shopify.com/s/files/1/0457/3734/5180/files/54537204474.pdf
    • https://cdn.shopify.com/s/files/1/0429/4826/4089/files/wijilesulufifegi.pdf
    • https://cdn.shopify.com/s/files/1/0431/9143/5422/files/walt_disney_world_animal_kingdom_map.pdf
    • https://static.usrfiles.com/ugd/b8c837_f7e58743c2014c5bae040b09d7186fc7.pdf
    • https://static.usrfiles.com/ugd/b8c837_2b2c970cff3e457c84bf45908c0f8b27.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b6ef798cb8945d88b24fc933ada41e6.pdf
    • https://static.usrfiles.com/ugd/b8c837_b24f09a0afc94eb8a3a36743a3374409.pdf
    • https://static.usrfiles.com/ugd/b8c837_34adfaa9bc7647e0a830fd03a0230aa4.pdf
    • https://static.usrfiles.com/ugd/b8c837_0e26aba2fe3248e48108a57d43fa3a8c.pdf
    • https://static.usrfiles.com/ugd/b8c837_65578ffde2174e11a61e8ae217c79e0e.pdf
    • https://static.usrfiles.com/ugd/b8c837_fbdbec32871a4be692c3e21ffaa8d85e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_016_off000138a9.bin
325885a5cc232997f9265752ff893518e3588b49fec3e6934508a2ba2299ec55		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x138A9 18892 bytes
font_00_sfnt_off0000610e.bin
4fca73d47fa94a6ad668c0f4434483fdc2f54e6be5ae77a011c3735f5dfefd3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x610E 7916 bytes
font_01_sfnt_off0000756f.bin
51036caeaaec89de8680405f123e86dc84267b6fe8b2de34ea0e6c667ded1fe3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x756F 4032 bytes
font_02_sfnt_off000083e1.bin
b6b77a517b93badf4fdcd7e5a3652b15197b5cf8b7ad8ac90337a63b30f1a9e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83E1 5044 bytes
font_03_sfnt_off0000951a.bin
dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x951A 2656 bytes
font_04_sfnt_off0000a01c.bin
7073f777ec002e82a856420936458262fa3cc3b4ee0437ed56f01fa51c4379d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA01C 4140 bytes
font_05_sfnt_off0000ad3a.bin
2f58f42410b60611991c12283e964e03297a95500ca09b14f4d605296bc50bc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD3A 3048 bytes
font_06_sfnt_off0000b949.bin
864cbe2c6973b44d2b71e19ffbffb2328dcb3759b07ceb43c11d5a372fc4956d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB949 2328 bytes
font_07_sfnt_off0000c401.bin
0e4b190990c22158f359a0de2485c61736e93a484cfb226f63bccb9bc1da1b2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC401 2604 bytes
font_08_sfnt_off0000ced9.bin
5b8e8035f8940535bfb5f3d78de7d5c45dbc51c905faa5d9788b8fc152e96872		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCED9 3840 bytes
font_09_sfnt_off0000dceb.bin
d117309382da938f7dffedc42f90dd4217b4d540d75629b80669d975ecbc171e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDCEB 2108 bytes
font_10_sfnt_off0000e6c9.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6C9 4336 bytes
font_11_sfnt_off0000f469.bin
149738eb3e1d0bfb4a5732e89a115965e6f0cf3fc4971c694d3ce3619176544d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF469 6148 bytes
font_12_sfnt_off00010452.bin
827ccba2f670a5ac0764bafdb5820d7b94a86a3835f3e92649d771d93b19cea7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10452 16884 bytes
font_14_sfnt_off00015806.bin
7260850907c932567cbfd34933d3cabda316f162d2897651222b22ae0a4cbd12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15806 3536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.