Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd5d52a65f9ffd43…

MALICIOUS

PDF

63.0 KB Created: 2020-09-06 02:02:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 115a76e88bc9db927973e4254841c127 SHA-1: 61a42a269f14d5badd61985fae597e13c6c1bbbc SHA-256: dd5d52a65f9ffd43c133c6394422390d62edd2278b0d816c14050fb42bd7d088
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a link farm with numerous external links, including a critical redirector link to 'ttraff.me'. This indicates a likely attempt to distribute malware or conduct phishing. The presence of a 'LOLBin run command' heuristic suggests that the document may also contain instructions or embedded scripts that leverage Windows execution tools to further the attack. The document body, though heavily obfuscated, contains the malicious URL, reinforcing the attack vector.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=kannada+janapada+love+feeling+songs+free
    • https://static.usrfiles.com/ugd/96bf9d_e53a6713063d49879bf4e1028148d75e.pdf
    • https://static.usrfiles.com/ugd/0dcf4b_69556d2f159144bc8ebc86b0346dfc95.pdf
    • https://static.usrfiles.com/ugd/0c41e7_c2c54f190182435abda221853784c2ed.pdf
    • https://static.usrfiles.com/ugd/d6af85_8f4cec0002364c2187821ee3bcf30d0d.pdf
    • https://static.usrfiles.com/ugd/7c30af_ec4bc4a975c4486c98e175eba2fe305d.pdf
    • https://static.usrfiles.com/ugd/5af86b_79709ae869e14c62be416cbadb0acff1.pdf
    • https://static.usrfiles.com/ugd/7c41c1_c799dd3e550e413da630a7f17ff7b06d.pdf
    • https://static.usrfiles.com/ugd/b8c837_cb2f945a99de44179f77e90f28237104.pdf
    • https://cdn.shopify.com/s/files/1/0463/0367/4530/files/93435689842.pdf
    • https://cdn.shopify.com/s/files/1/0434/6953/7432/files/jipasufezuzi.pdf
    • https://cdn.shopify.com/s/files/1/0433/2693/1099/files/differences_between_business_administration_and_business_management.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/depawal.pdf
    • https://cdn.shopify.com/s/files/1/0440/1538/6789/files/how_to_bootable_pendrive_in_cmd.pdf
    • https://cdn.shopify.com/s/files/1/0436/9560/3880/files/soil_acidity_and_alkalinity.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00007ae3.bin
42438fd0b798bc3d21af35c91a08ed78b221876072ce0b58cc5f5dd8a26f6673		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7AE3 15592 bytes
font_00_sfnt_off000068a9.bin
e0a3c8cfcb70f1e26425389eb4acff19a48e27c80848eb4c14e98a07f6dc68a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68A9 5316 bytes
font_02_sfnt_off00009ebf.bin
6edd2dc65f8cc0d4bfc465674af3a6957927c9580e196fa1f2ecab0bfce717d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9EBF 2024 bytes
font_03_sfnt_off0000a856.bin
36cd9f1dc56a13fd7f3de8cf6cf962624c16f6facee4455c439517e81f202fd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA856 15300 bytes
font_04_sfnt_off0000d82c.bin
f53b43e12006e3d52612f085e6e184fa5bba3604999f0cb64562e6bb996dc06b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD82C 16384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.