Malicious PDF — malware analysis report

Static analysis result for SHA-256 d70b6b891365fe92…

MALICIOUS

PDF

52.0 KB Created: 2020-08-19 14:51:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f5dc55ef15988e03bd7c8ba4a2070b07 SHA-1: 688781c43e3687265b376cd56b871f56030bd4aa SHA-256: d70b6b891365fe926f4379015743acd80f21a9f4ea7073040fb59b35058f1c6f
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains heuristics indicating it is a malicious redirector and part of a link farm, disguised as an invoice lure. The primary malicious URL identified is ttraff.com, which is used to redirect the user. The document body, though heavily obfuscated, contains the same malicious URL, reinforcing the lure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=street+fighter+4+hd+android+free
    • http://files.viajaangelica.com/uploads/1/3/1/4/131407539/5c06947305de.pdf
    • https://cdn.shopify.com/s/files/1/0431/8108/0738/files/buzunilufeledu.pdf
    • https://cdn.shopify.com/s/files/1/0434/1563/4071/files/86811094332.pdf
    • https://cdn.shopify.com/s/files/1/0436/6978/2693/files/abstract_data_type_in_data_structure_notes.pdf
    • https://cdn.shopify.com/s/files/1/0432/3740/8936/files/8325886924.pdf
    • https://cdn.shopify.com/s/files/1/0428/8951/1068/files/45929489298.pdf
    • https://cdn.shopify.com/s/files/1/0430/0223/2983/files/11th_commerce_guide_english_medium.pdf
    • https://cdn.shopify.com/s/files/1/0431/9464/6688/files/nixiwa.pdf
    • https://cdn.shopify.com/s/files/1/0430/9463/8749/files/bujipezofinewaru.pdf
    • https://cdn.shopify.com/s/files/1/0429/7919/7081/files/57955827944.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nubizasijimowedemo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008de6.bin
104693b50f8d397e9f3e5dc5a3fbe3627a666532d07c497233b7b0873d8d5256		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DE6 5148 bytes
font_01_sfnt_off00009f62.bin
0d5ef3b89c4b29a1d11126ec903a5ccac9ed22086a1694b6d76fe74bfb3892f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F62 10472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.