Malicious PDF — malware analysis report

Static analysis result for SHA-256 e360f4e2ca4c23a2…

MALICIOUS

PDF

36.6 KB Created: 2020-09-19 21:19:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 757c1e7eec122122e05fd9f5c4c5eab2 SHA-1: 1d8f0163e041782b8905778cd21f729fd12f947a SHA-256: e360f4e2ca4c23a2ba856cc6c1dbb5aa396ee1bc8ee9181b78f041918ad1694b
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, including a critical finding of a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL 'https://ttraff.link/wix?keyword=bell+cafe+kumc', suggesting a lure. Additionally, a heuristic identified a PDF link farm, with many links pointing to PDF files hosted on various domains, indicating a potential attempt to distribute further malicious content or engage in SEO abuse. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=bell+cafe+kumc
    • http://xarufonox.kdotspeed.com/uploads/1/3/0/9/130968973/852471.pdf
    • http://files.laplatabaptistchurch.org/uploads/1/3/0/9/130969452/bafoju_pebar_vifebexefe_bapon.pdf
    • http://files.myjlstyle.com/uploads/1/3/1/0/131070476/3d0aac5.pdf
    • http://files.gracechurchponcacity.org/uploads/1/3/0/9/130969545/530e1d.pdf
    • http://wudixare.rebeccarankinyoga.com/uploads/1/3/0/7/130776644/51e9b83ac37.pdf
    • https://cdn.shopify.com/s/files/1/0461/7037/4296/files/9962626730.pdf
    • https://cdn.shopify.com/s/files/1/0434/8759/2608/files/46851417144.pdf
    • https://cdn.shopify.com/s/files/1/0434/2949/4940/files/40083287342.pdf
    • https://72032c6c-3b18-4b10-8cc0-f0a4575abd8e.filesusr.com/ugd/f103bb_64582f1b9ba74c928a3ac2fc851aaa65.pdf?index=true
    • https://804002f9-aa51-4087-9e98-8fd3839231ab.filesusr.com/ugd/ff3115_a870aff37a00424abd92876f9c2d8347.pdf?index=true
    • https://0132e1d4-654d-425e-ad3d-592dcc03b432.filesusr.com/ugd/d19ca0_38c0c9567bd042c383c19529a65d8f1a.pdf?index=true
    • https://57876ead-098a-4192-be52-1addd2f49aff.filesusr.com/ugd/7b00a0_bed1550f949b4a77bce7c022c870aca9.pdf?index=true
    • https://bab6457e-1e15-48ff-9322-aaafa56c2b63.filesusr.com/ugd/8e6e76_bbcef6a285fe42218385825b6dbbbc7b.pdf?index=true
    • https://6ae8608f-c54f-491b-8b88-299d197243ce.filesusr.com/ugd/ea78e0_ce38f8d05cb24f88946e54900362184c.pdf?index=true
    • https://ab883589-60b5-4f11-8433-7195bf246a70.filesusr.com/ugd/cfbfd2_3012a84220ee4341a1cf1ab552fd4c02.pdf?index=true
    • https://9c739469-a3c8-45aa-b294-e944ee219237.filesusr.com/ugd/64e449_dc15d56d85344f7fb80382f726b0c9eb.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000046c7.bin
f1adb3ec73ca519a0068e6171d460096737ae519e6bc49d1ef4c4400a9acd2f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46C7 4404 bytes
font_01_sfnt_off000055c6.bin
903ece744b486f30c74120208b30a8260c2fb5ad1bdc370c1a19050b28855b37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55C6 9832 bytes
font_02_sfnt_off00007768.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7768 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.