Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5bbad1ee44546cb…

MALICIOUS

PDF

33.4 KB Created: 2020-08-18 17:49:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a6dc9970c5f33d28601a87512846515 SHA-1: 1a388b465d2fbbfc826377c3cd2d418a933b52ed SHA-256: e5bbad1ee44546cbf56db45eca569abff67a4e4e683a046dcfe82e6b919e1a5a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a mass external link farm, with a primary malicious redirector URL embedded within the document body. The heuristic firings indicate the PDF is designed to redirect users to malicious infrastructure, specifically identified as 'ttraff.com'. No scripts were extracted from this sample, limiting the analysis to the document's structure and embedded links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=gaali+chirugaali+dj+song++mp4
    • http://files.speakinitiative.org/uploads/1/3/1/6/131637047/2471bf8.pdf
    • http://files.usagaslogs.com/uploads/1/3/1/4/131408581/b19098.pdf
    • https://cdn.shopify.com/s/files/1/0434/6953/7432/files/21905301973.pdf
    • https://cdn.shopify.com/s/files/1/0435/8258/7037/files/61039534340.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xopiforosolakalaxelavur.pdf
    • https://cdn.shopify.com/s/files/1/0434/3191/9765/files/jexib.pdf
    • https://cdn.shopify.com/s/files/1/0433/9436/7644/files/15602464077.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/21154843933.pdf
    • https://cdn.shopify.com/s/files/1/0429/6641/7571/files/wevuxudu.pdf
    • https://cdn.shopify.com/s/files/1/0439/6518/6206/files/house_cleaning_template_excel.pdf
    • https://cdn.shopify.com/s/files/1/0436/4664/8473/files/sujet_brevet_2020_histoire_geo.pdf
    • https://cdn.shopify.com/s/files/1/0435/3739/9960/files/how_to_make_file_look_like_a_book.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000045af.bin
f2851f8dd97751d48ad1421bd5ccc4a8f9c954108952adca13da46a4362c40d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45AF 5684 bytes
font_01_sfnt_off000058eb.bin
05b4065cda8cd41d59ce78c71c49d16e936c0b0c527c324b6b782696ce976a7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58EB 9456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.