Malicious PDF — malware analysis report

Static analysis result for SHA-256 ded207e6a8b759dd…

MALICIOUS

PDF

39.3 KB Created: 2020-08-30 15:45:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 614321f58683198151fb357a6921d343 SHA-1: 8bacbb6ac6280d38bde4cf635fb6c7a8d3562e47 SHA-256: ded207e6a8b759dd1efa45fbbcbe74f69c17ee9c938ddc9aa645f002c049c37a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a technique often used for SEO poisoning or to redirect users to malicious sites. One critical heuristic firing indicates a direct link to a known malicious redirector infrastructure at 'https://ttraff.cc/wix?keyword=jeep+patriot+windshield+wiper+size'. The document body, though heavily obfuscated, contains references to this URL and the topic of Jeep Patriot windshield wiper sizes, suggesting a lure to attract clicks.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=jeep+patriot+windshield+wiper+size
    • https://static.usrfiles.com/ugd/b8c837_faf4b760045644569e9bacd5aefa5609.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ea319eff5db48a3b0b40251a6ba6f08.pdf
    • https://static.usrfiles.com/ugd/b8c837_8c1f3fb7df974c00b7f3a8f0f9b5b514.pdf
    • https://static.usrfiles.com/ugd/87fdc7_1cd83354289a4743a90b233fe2b39444.pdf
    • https://static.usrfiles.com/ugd/576447_d95bbbfc01954d94b02b56b8c9b709a8.pdf
    • https://static.usrfiles.com/ugd/ea78e0_ff34fdb1f78d4bf1a85943774a412a7d.pdf
    • https://cdn.shopify.com/s/files/1/0430/8857/6673/files/kujatoposujemekasixofelef.pdf
    • https://cdn.shopify.com/s/files/1/0438/5452/8677/files/git_conflict_resolution_tool.pdf
    • https://cdn.shopify.com/s/files/1/0441/0087/8488/files/15363034721.pdf
    • https://cdn.shopify.com/s/files/1/0434/4892/6364/files/301_1_4_hard_stainless_steel_sheet.pdf
    • https://static.usrfiles.com/ugd/9904c2_07943037982b4ea4aacfac609a97abbe.pdf
    • https://static.usrfiles.com/ugd/b8c837_9715053a54e94b3b8f940633536883ea.pdf
    • https://static.usrfiles.com/ugd/b8c837_04ba36cb25b14989b3ddd3fe3d2cb6fb.pdf
    • https://static.usrfiles.com/ugd/b8c837_0386f3b8c84d4403ae92a649a43a33dc.pdf
    • https://static.usrfiles.com/ugd/b8c837_794924bd2501441fa6219088ae1e30bc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b35.bin
0378fe5b1936fddc7a6235b6d45561504e6e6f90769aa87d19b90295581f02dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B35 5176 bytes
font_01_sfnt_off00006cdf.bin
c703d1eff9bbd5b0799e8c17b00b9199fc500a23a0210259ab19571633ec787a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CDF 10352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.