Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb11258a5571033e…

MALICIOUS

PDF

40.4 KB Created: 2020-07-10 06:32:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c8805ef1ffb25e8f3d3e6b5852c7854b SHA-1: 00cce15ee6c9046c04efe9facc012327619143a1 SHA-256: eb11258a5571033e210a5e411b842a4195680b274c12a63190e3b4a7b70282a5
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains numerous embedded links, many of which point to external PDF files hosted on various domains. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.com/wb?keyword=wanscam%20hw0043%20user%20manual'. Another heuristic flagged the document as a PDF link farm, suggesting a coordinated effort to distribute malicious content. The ClamAV detection 'Pdf.Dropper.Agent-9746213-0' further confirms its malicious nature. The document body, though partially obfuscated, contains the title 'Wanscam hw0043 user manual', indicating a lure to disguise the malicious links.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-9746213-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9746213-0
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=wanscam%20hw0043%20user%20manual
    • http://files.tconlogandesign.com/uploads/1/3/0/7/130739419/8983008.pdf
    • http://files.johndancerviolins.com/uploads/1/3/1/8/131871991/5580121.pdf
    • http://files.gdrobertsplumbing.ca/uploads/1/3/0/7/130738711/kinebobugerudasij.pdf
    • http://files.andreanelson.studio/uploads/1/3/1/8/131871690/b02bc.pdf
    • http://files.smokefreeottawa.com/uploads/1/3/0/8/130874541/woxatibabasejol-nazonazub-kifina.pdf
    • http://files.flatspokecycles.com/uploads/1/3/1/4/131408529/6549756.pdf
    • http://files.pruewalkerfasd.com/uploads/1/3/1/1/131164260/d3391f8d49.pdf
    • http://files.centrocha.org/uploads/1/3/0/8/130873870/7918256.pdf
    • http://files.hsc3knives.com/uploads/1/3/0/9/130969243/a00465f049b.pdf
    • https://selomine691511454.files.wordpress.com/2020/07/29828932828.pdf
    • https://nisawutuvava.files.wordpress.com/2020/07/33855993365.pdf
    • https://xikivogazud.files.wordpress.com/2020/07/mejapupewadetilodikom.pdf
    • https://sipuripunuma.files.wordpress.com/2020/07/mavejaxavalewam.pdf
    • https://meboraxi.files.wordpress.com/2020/06/4077645265.pdf
    • https://linutinoruso.files.wordpress.com/2020/06/kekuvepawasusesukigup.pdf
    • https://kupasexale.files.wordpress.com/2020/06/wukex.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/28068876324.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/94608223162.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/lafiku.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/40948382406.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006089.bin
caa447b2f24057639b8d9b7c218b12f368c6da7792833d8a9bdfe6fa44127249		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6089 5180 bytes
font_01_sfnt_off000071f8.bin
06c766738050aee947e10bac87ef2c70e4087005a80d1829dec3c4a187effd41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71F8 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.