Malicious PDF — malware analysis report

Static analysis result for SHA-256 e48db766f99c90ea…

MALICIOUS

PDF

41.9 KB Created: 2020-08-30 19:41:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e033676b3f2c127375df65306269ab0d SHA-1: 7fbe2f7c79afc92aeb862bd5d8b6e2eed52c7858 SHA-256: e48db766f99c90eafe4c3cd4f67924536a7847a75fa88f18c00af10fb5809653
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains a malicious redirector link pointing to ttraff.com, which is a known malicious domain. The document also features a link farm of numerous PDFs hosted on static.usrfiles.com, suggesting an attempt to manipulate search engine results or distribute content. The presence of a 'download button' lure further supports a social engineering attack. No scripts were extracted, but the primary malicious activity appears to be redirection via a link.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=quantum+3213+manual
    • https://static.usrfiles.com/ugd/ea5d7b_734a751579de4effa6be7ffc39b29562.pdf
    • https://static.usrfiles.com/ugd/b8c837_25f4a55853374376ac28586243a8f969.pdf
    • https://static.usrfiles.com/ugd/b8c837_c53fce6494ad447ebf461da4fc0fe626.pdf
    • https://static.usrfiles.com/ugd/b8c837_bcd8973795be41eb839cd04e31656ea2.pdf
    • https://static.usrfiles.com/ugd/d3758e_cef68bf8cdfe4863ae9dcee8e97a2f12.pdf
    • https://cdn.shopify.com/s/files/1/0427/7361/0663/files/76031565134.pdf
    • https://cdn.shopify.com/s/files/1/0430/6511/4775/files/breadboard_circuit_projects.pdf
    • https://cdn.shopify.com/s/files/1/0429/1064/6435/files/kobemamotavawekon.pdf
    • https://cdn.shopify.com/s/files/1/0429/0864/7580/files/zogesegirexibonazewipama.pdf
    • https://static.usrfiles.com/ugd/07625c_3d8eb4d777ac4244a482e6c0c5801ddc.pdf
    • https://static.usrfiles.com/ugd/b8c837_c59f01c313944bd89b6c6d5c60b9c983.pdf
    • https://cdn.shopify.com/s/files/1/0432/6113/2968/files/vepujazibixafos.pdf
    • https://cdn.shopify.com/s/files/1/0433/5999/4014/files/41742167416.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066a7.bin
b82b78fd165dc71a06cd882651e1db7d1d31527e610b09388d7148f23da9821b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66A7 4968 bytes
font_01_sfnt_off00007783.bin
d051265409e10d32af1bc569eda65fe3b5d5061026480b90aea1f5118645871b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7783 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.