Malicious PDF — malware analysis report

Static analysis result for SHA-256 db3e23d309e8a7a4…

MALICIOUS

PDF

61.5 KB Created: 2020-08-31 03:33:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 769c0e3e8e6c7a5e6e57815dcfe7a984 SHA-1: e3e99b794411534de44624b208a27509a43ce59e SHA-256: db3e23d309e8a7a4eb898d52d4110ea4eceb33dab01fc2e632ee51b9acd57e60
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/wix?keyword=xlr+wiring+schematic'. This URL is presented within the document body, suggesting a social engineering lure to trick the user into visiting a malicious site. The file also contains a large number of external PDF links, characteristic of a link farm, further supporting the malicious intent.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=xlr+wiring+schematic
    • https://static.usrfiles.com/ugd/6c98bc_3caed0aae7c64d57bb9c78eeddfb3634.pdf
    • https://static.usrfiles.com/ugd/72216b_b9b3abb07b30478f9c0ed9db85859b5b.pdf
    • https://static.usrfiles.com/ugd/a48928_75fb756b3be74fe3af96a6e1aa474454.pdf
    • https://cdn.shopify.com/s/files/1/0432/3350/9534/files/nefivomip.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/89349082521.pdf
    • https://static.usrfiles.com/ugd/b8c837_e61ca8ca5bbe4d16a1c09b3faeaadb92.pdf
    • https://static.usrfiles.com/ugd/6da380_3e957ba793b540d88e6c88bfe85190a4.pdf
    • https://static.usrfiles.com/ugd/d9d1f5_4ebdae882604400a8459b49c47b08d07.pdf
    • https://cdn.shopify.com/s/files/1/0431/2724/2914/files/19445915250.pdf
    • https://cdn.shopify.com/s/files/1/0432/0247/8237/files/bgp_configuration_step_by_step.pdf
    • https://cdn.shopify.com/s/files/1/0437/8784/5790/files/fleetwood_mac_dreams_psychemagik_remix.pdf
    • https://cdn.shopify.com/s/files/1/0434/1432/3356/files/tiduxolipugutolez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a6c1.bin
606f944e6cdd0a40fdf4e89877aae6b74ff5508e746c70027de89e7156c0c557		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA6C1 4960 bytes
font_01_sfnt_off0000b766.bin
39833ce49f17a61920e15f1021ac61eff88d68b26311e94afad55902e4c31dc1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB766 10416 bytes
font_02_sfnt_off0000db04.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB04 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.