Malicious PDF — malware analysis report

Static analysis result for SHA-256 e38bc7e7b65294ca…

MALICIOUS

PDF

32.5 KB Created: 2020-08-14 21:10:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 568e8a27c2ad43e40fdad3e7e6b499dc SHA-1: 38fefc098d8371225299b46d2bd3fe57ab65fff9 SHA-256: e38bc7e7b65294ca2c853d8bbb3416ff408918d5a0c8041a04b9487083b0fe22
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing indicating it links to a known malicious redirector, specifically ttraff.com. The document body, though partially corrupted, contains text related to a 'Sonata 2010 owners manual' and includes the malicious URL. This suggests a social engineering lure to trick users into visiting a malicious site, likely for further exploitation or credential harvesting. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=sonata%202010%20owners%20manual
    • http://files.hosshakukempon.com/uploads/1/3/1/8/131857419/xumavagonokotun-lakebosibuvodad-gapizufuda.pdf
    • https://cdn.shopify.com/s/files/1/0431/9376/1941/files/simariwipagefegavigawe.pdf
    • https://cdn.shopify.com/s/files/1/0433/8502/8758/files/residential_load_calculation_manual_j.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/6733015585.pdf
    • https://cdn.shopify.com/s/files/1/0431/6659/7288/files/niripisudavuvajoxa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0287/9387/files/dazumimof.pdf
    • https://cdn.shopify.com/s/files/1/0428/7610/8956/files/40929045408.pdf
    • https://cdn.shopify.com/s/files/1/0434/3165/7638/files/41866845122.pdf
    • https://cdn.shopify.com/s/files/1/0433/1329/9620/files/90384498943.pdf
    • https://cdn.shopify.com/s/files/1/0437/7490/2423/files/fuzakuxixufegubakatibote.pdf
    • https://cdn.shopify.com/s/files/1/0432/4648/5672/files/58292135660.pdf
    • https://cdn.shopify.com/s/files/1/0430/0118/4417/files/mario_benedetti_la_tregua.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043c6.bin
fb4321d64368a335281164fe83de2cea6d28e600a9a527a4e029ec4a51adc025		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43C6 5352 bytes
font_01_sfnt_off000055eb.bin
54543c56c3b59865007c69fceefe9501d1f7470a435fabe6c2b0a4c48ff9fa7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55EB 9372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.