Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3b36afb10352be8…

MALICIOUS

PDF

49.7 KB Created: 2020-09-08 13:51:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 20ed4079d29a0b06cd0022c4bbd473d9 SHA-1: ea0f86ab3225401fcda57585a0823c861c8ff1dc SHA-256: e3b36afb10352be8513b8a59afcd00fdc225e38bd1ee65b0918a911de9392998
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a lure for a game download, which is a common social engineering tactic. It embeds a link to a redirector service, 'ttraff.me', which is flagged as malicious. The document also contains a mass of external PDF links, likely for SEO poisoning, and mentions password protection, suggesting a multi-stage attack. No scripts were extracted, but the primary malicious action appears to be directing the user to a malicious URL.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=assassin%2527+s+creed+3+highly+compressed
    • https://static.usrfiles.com/ugd/b8c837_cd6d533450d94305a5d7c879a0ccb919.pdf
    • https://static.usrfiles.com/ugd/edb4a7_106f5656ce6440babe6836fa0a6cf8a0.pdf
    • https://static.usrfiles.com/ugd/941881_32f7d9227b604382a231e1e39b914341.pdf
    • https://static.usrfiles.com/ugd/e32576_09f13aa428da499c94946a4d69be6e2e.pdf
    • https://static.usrfiles.com/ugd/f0e51d_a89cf6861b5d4e7bbf57f16dbd494f4e.pdf
    • https://static.usrfiles.com/ugd/b96e41_d983134abc724942a236f49aefa7d3fb.pdf
    • https://static.usrfiles.com/ugd/21e6f2_f3a43502b91e498c8f7dc14815dbdd55.pdf
    • https://static.usrfiles.com/ugd/485053_3be7be469bd1462a89271d7a77431c68.pdf
    • https://static.usrfiles.com/ugd/7ba596_8948e2b866b646eaaddb82a35503b59d.pdf
    • https://static.usrfiles.com/ugd/b85eb0_ad177fbe97aa417e859626498e14750d.pdf
    • https://static.usrfiles.com/ugd/3dd68e_449ccb2c8920454e9fc7f2003ec850a4.pdf
    • https://static.usrfiles.com/ugd/2eec94_486dccda65704da18e69a2aabe6e9381.pdf
    • https://static.usrfiles.com/ugd/b8c837_cd33b18b82f54cf28e2726869c1ee28e.pdf
    • https://static.usrfiles.com/ugd/65b209_386d639d435646199d283a3fc038f19b.pdf
    • https://static.usrfiles.com/ugd/b148e5_1c25296ac39c4fd49d5f2d42f0af5d0b.pdf
    • https://static.usrfiles.com/ugd/c1c462_a87e48574fbd47b3a35e6f72e7d1308a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b45.bin
92970033a739546a70ab9317f8a3581090013879046548b04cea555e77c17b9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B45 5484 bytes
font_01_sfnt_off00007db0.bin
156c1c90de0ed204b2bfeb72836c3b7fd792da3f616467e977fbd5e5cbd01021		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DB0 2728 bytes
font_02_sfnt_off00008947.bin
a54810dfcdcf0c137d36197f22da274844152b3aba1382ba60899c79e3c35cf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8947 9948 bytes
font_03_sfnt_off0000ab53.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB53 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.