Malicious PDF — malware analysis report

Static analysis result for SHA-256 df82f76edd6832ec…

MALICIOUS

PDF

40.8 KB Created: 2020-08-21 03:25:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fec022a8b99619a5a542a0b85e40eb51 SHA-1: cfb765d9bea659c3f06c78bb3f6f8f622189c72f SHA-256: df82f76edd6832ec707c69d11aa5b1078f68c7ca08b98766b9b8ab787fc00709
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Link

The PDF contains a mass external link farm, with one critical link pointing to a known malicious redirector. The document body text and heuristics indicate a social engineering lure to install a browser extension or update, which is a common method for malware delivery. The primary malicious URL identified is https://ttraff.com/pify?keyword=chromedriver+.+default+directory+python.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=chromedriver+.+default+directory+python
    • http://duvega.globalafricancreates.com/uploads/1/3/1/4/131437615/jisilomodidigerutova.pdf
    • http://files.princesspalacetijuana.com/uploads/1/3/1/0/131070035/a2ea29.pdf
    • http://files.walnutcreekbulldawgs.org/uploads/1/3/1/6/131636562/98136157d.pdf
    • https://cdn.shopify.com/s/files/1/0437/4613/2119/files/fivosuwusogaxugadogo.pdf
    • https://cdn.shopify.com/s/files/1/0429/9587/6003/files/38598830677.pdf
    • https://cdn.shopify.com/s/files/1/0440/6152/4118/files/vatavetiwavenin.pdf
    • https://cdn.shopify.com/s/files/1/0430/4617/4877/files/35978006497.pdf
    • https://cdn.shopify.com/s/files/1/0429/5157/3657/files/lil_durk_higher_mp3_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/4361/8965/files/59739904194.pdf
    • https://cdn.shopify.com/s/files/1/0447/8536/9239/files/alter_ego_plus_a2.pdf
    • https://cdn.shopify.com/s/files/1/0432/4897/6027/files/38764922750.pdf
    • https://cdn.shopify.com/s/files/1/0432/3917/8399/files/panegexekakaxufofukafenil.pdf
    • https://cdn.shopify.com/s/files/1/0431/2920/8983/files/xevolo.pdf
    • https://cdn.shopify.com/s/files/1/0432/5136/8104/files/9236952328.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ee3.bin
1a3f633167137b823a58660f4c85c2ad6efe52e2918777424ee574516cfd3905		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE3 5316 bytes
font_01_sfnt_off000070ea.bin
7bab5f5b4cc48a4e3d3a96c19ba6c6093b3592fd4acf300802f5fcf48f102f48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70EA 11248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.