Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd6ea6db438f368e…

MALICIOUS

PDF

41.0 KB Created: 2020-09-01 03:25:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7f031c9ef269d5d03cb5714002f97314 SHA-1: 40acd16ad2646d865d529ef10a1a622dcddb6026 SHA-256: dd6ea6db438f368ea1ec2beba76a91efa424a785774bbc8d5b082aaa6aa97b2d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.cc/wix?keyword=deloitte+asc+740+guide', is designed to lead users to malicious infrastructure. The PDF also contains a link farm heuristic, indicating a large number of outbound links, many of which point to benign Shopify URLs, but the primary malicious intent is driven by the redirector. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=deloitte+asc+740+guide
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/83260340608.pdf
    • https://cdn.shopify.com/s/files/1/0440/0742/4158/files/17312638617.pdf
    • https://cdn.shopify.com/s/files/1/0435/4444/5079/files/simplifying_radical_expressions_worksheet_kuta_software.pdf
    • https://cdn.shopify.com/s/files/1/0431/1970/6273/files/best_screen_dimming_app_android.pdf
    • https://static.usrfiles.com/ugd/b8c837_c3cc08bbea914980af47646a1456721e.pdf
    • https://static.usrfiles.com/ugd/cafc24_ff5fce0a24134ca3bc2af6e846c61191.pdf
    • https://static.usrfiles.com/ugd/5438e3_7eab1c430e6e49a299660187848d4bc2.pdf
    • https://static.usrfiles.com/ugd/f1d680_9e5381fdb92f4d23b0830f943265825a.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/66491839223.pdf
    • https://cdn.shopify.com/s/files/1/0430/7435/5351/files/damodaran_valuation_spreadsheet.pdf
    • https://cdn.shopify.com/s/files/1/0428/0510/0711/files/39875138229.pdf
    • https://cdn.shopify.com/s/files/1/0436/9324/4570/files/storm_herald_5e.pdf
    • https://cdn.shopify.com/s/files/1/0432/4818/9595/files/basic_electrical_engineering_book_free_download_author_kothari.pdf
    • https://static.usrfiles.com/ugd/3649d2_6451e11cb5b34ffca3b96deddd91e42f.pdf
    • https://static.usrfiles.com/ugd/136d07_0a2dcd1e85af40d79044e988f02d1b6f.pdf
    • https://static.usrfiles.com/ugd/b8c837_d72bf1bb1da8404abea58e9d5f721bac.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006160.bin
c51c14367d985688d83689ad98db31be69da9dd43089471856ea85a922bef675		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6160 5320 bytes
font_01_sfnt_off0000739d.bin
8c703606d36bfaa2e3ba15bd932996944d140ed40d1c7362b6888ac951fbbd54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x739D 10544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.