Malicious PDF — malware analysis report

Static analysis result for SHA-256 dee9199fd68b7e7a…

MALICIOUS

PDF

32.9 KB Created: 2020-08-29 21:45:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8b803bcc4e016ac73e99eb68eecdcb2d SHA-1: 7f053c0aa00e536b6d7b75ba87ebadb28bd138bf SHA-256: dee9199fd68b7e7ab394bf28650ff3df1e482eb43b8492aeaa949bed2a0aea12
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, ttraff.com, which is likely intended to lead the user to a phishing or malware distribution site. The document body and embedded links suggest a link farm or SEO poisoning technique to attract victims. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=troy+bilt+47321+parts
    • https://static.usrfiles.com/ugd/b8c837_a27ceee5ee714d4b8ebded0024d36048.pdf
    • https://static.usrfiles.com/ugd/0779a3_8820f3d709d54527902524ab63b281ca.pdf
    • https://static.usrfiles.com/ugd/d01287_fa478206e20543fba93ff1356680cdf9.pdf
    • https://cdn.shopify.com/s/files/1/0432/1466/7934/files/kirchhoff_s_second_law.pdf
    • https://static.usrfiles.com/ugd/0c268c_338956ece14340a2b826debc9392cabb.pdf
    • https://static.usrfiles.com/ugd/f46427_33a6d25b31fe48779770cdd996da684e.pdf
    • https://static.usrfiles.com/ugd/b8c837_c112fd4767cd431aad59b708858221f5.pdf
    • https://static.usrfiles.com/ugd/b8c837_08b7e61acb7943a58bb4d15be473e1be.pdf
    • https://cdn.shopify.com/s/files/1/0431/8999/3635/files/certified_ethical_hacking_course.pdf
    • https://cdn.shopify.com/s/files/1/0438/4079/8885/files/binomial_theorem_for_jee_mains.pdf
    • https://cdn.shopify.com/s/files/1/0430/8497/2183/files/vaxit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000446e.bin
8ce2284d5a98fb393af1c73c4813ee311c123f7a691765862c0df7708e377896		 pdf-font-stream PDF embedded font (sfnt) at offset 0x446E 5520 bytes
font_01_sfnt_off0000574f.bin
c4814978b11ac246b91a1db78ee9bb5d22881365e2e7224fc56dbf5cce64410e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x574F 9452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.