Malicious PDF — malware analysis report

Static analysis result for SHA-256 df2b2e11a280e2e2…

MALICIOUS

PDF

69.6 KB Created: 2020-09-01 16:19:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d01541f306d23df05a2ec964b0e6dfc SHA-1: ef04b7fe57611e8c33abfdc155d0a5ed4b1ee8da SHA-256: df2b2e11a280e2e2b0450528eeae3558ceca67ca54007d86f94ffc46a159c36b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, a technique often used for SEO poisoning or to redirect users to malicious sites. One of the embedded URLs, 'https://ttraff.cc/wix?keyword=sami+nami+na+waka+waka+song', is flagged as a known malicious redirector. The document body, though heavily obfuscated, also contains this URL. This suggests the primary purpose is to lure the user to a malicious site, likely for further exploitation or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=sami+nami+na+waka+waka+song
    • https://static.usrfiles.com/ugd/b8c837_766d50c1f1614583b851d51ddf05118f.pdf
    • https://static.usrfiles.com/ugd/0cd3a8_4f0207eac4c54c0b8dfb1441948bc651.pdf
    • https://static.usrfiles.com/ugd/b8c837_03d86b7417ca4d8ea362872ef1700ea5.pdf
    • https://static.usrfiles.com/ugd/739437_9e7125ba248948efbbd1fb295477da6d.pdf
    • https://static.usrfiles.com/ugd/dc8a8e_4ad2703aa5dd4dbabf92188537a53f39.pdf
    • https://static.usrfiles.com/ugd/f46427_a2077cb4bb8a4a0d9d8a3793e00d53f1.pdf
    • https://static.usrfiles.com/ugd/e02969_7835dbfabb714215b34ac9187dc65f43.pdf
    • https://static.usrfiles.com/ugd/6908d7_5da839434c274c829533997ff10c3886.pdf
    • https://static.usrfiles.com/ugd/225520_94fb3492a3684668bf58e5cd517d6728.pdf
    • https://static.usrfiles.com/ugd/f1780b_8fafb1174b1347849d962e468bf4852d.pdf
    • https://static.usrfiles.com/ugd/b8c837_1a68b588fcee4f509b10402ac94df59f.pdf
    • https://static.usrfiles.com/ugd/4c7633_aa78c6eae0aa44a4bdf837e5ee75e950.pdf
    • https://static.usrfiles.com/ugd/99afdc_c49c8a1d3bb5457b8a839facbf3e5024.pdf
    • https://static.usrfiles.com/ugd/04e6f9_da94a853dd264294b2e52b253e1d4585.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bapumonotirugapagemuzigin.pdf
    • https://cdn.shopify.com/s/files/1/0427/6482/8838/files/jugazigewojanurepejufe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cd86.bin
15e9ba7b58a306eb2182cb502e683da2dbcba18019639eed7abe95eca56caab8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD86 5136 bytes
font_01_sfnt_off0000df06.bin
85faee706300761781ec1c108a98ea6bcf76722f00aeabf7ec1431590fad59a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF06 13204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.