Malicious PDF — malware analysis report

Static analysis result for SHA-256 de548b140424646a…

MALICIOUS

PDF

100.8 KB Created: 2020-09-15 15:20:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b35d386086b97c8005f61e197254af86 SHA-1: 88ac88709272ae55cb6a31c9b4d0c6583f5c102f SHA-256: de548b140424646affb4442166bb66d292349e534dc139c5ff443a9a6514dcbf
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains heuristics indicating it is a malicious redirector and a link farm, specifically designed to lure users with payment-related language. The embedded URL, https://ttraff.com/wb?keyword=owner%20documented%20ffi%20reporting, is identified as malicious. The document body, though heavily obfuscated, contains this same URL, reinforcing the lure. The primary attack pattern involves social engineering to trick the user into clicking the malicious link.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=owner%20documented%20ffi%20reporting
    • https://cdn.shopify.com/s/files/1/0432/3662/2498/files/mutubu.pdf
    • https://cdn.shopify.com/s/files/1/0431/6397/5835/files/acids_bases_and_salts_class_10_book.pdf
    • https://cdn.shopify.com/s/files/1/0432/0195/3952/files/gatowoba.pdf
    • https://cdn.shopify.com/s/files/1/0462/6389/4173/files/telupaju.pdf
    • https://cdn.shopify.com/s/files/1/0429/6556/5589/files/es_cal_des_morts_formentera.pdf
    • https://cdn.shopify.com/s/files/1/0433/8896/0924/files/pocket_anesthesia_free.pdf
    • https://cdn.shopify.com/s/files/1/0438/0963/6512/files/fable_2_archaeologist.pdf
    • https://cdn.shopify.com/s/files/1/0435/3749/8276/files/51496799505.pdf
    • https://cdn.shopify.com/s/files/1/0438/2267/8173/files/44902483298.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001512c.bin
54ac23f2bda11771858caea0c659bf8422d2b6ab8d60a8d5f44311c015fc9169		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1512C 5176 bytes
font_01_sfnt_off000162ce.bin
404d35f048a64bf1685493ea616acaa914eb8c4fcb307a7e553a905c7f67e51a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x162CE 10516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.