Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec3ce86a3109af15…

MALICIOUS

PDF

54.6 KB Created: 2020-08-31 02:00:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ccfb5b7e5e7b47c9fb5f72808d4458e SHA-1: 1f2b2f414b88509a2d17ead4c0fc95a7602dc523 SHA-256: ec3ce86a3109af152c9af7bb6042d459d9488225b583bc000a690501c0168782
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one heuristic specifically identifying it as a PDF link farm. The primary malicious URL, 'https://ttraff.com/wix?keyword=nazlan+ertan+kimdir+o', is flagged as a known malicious redirector. While the document body contains garbled text and metadata indicating it was generated by wkhtmltopdf, the presence of numerous links, including the malicious redirector, strongly suggests an attempt to lure users to harmful content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=nazlan+ertan+kimdir+o
    • https://cdn.shopify.com/s/files/1/0430/1222/7225/files/xonizoxovujuzo.pdf
    • https://cdn.shopify.com/s/files/1/0454/7185/8854/files/franks_adventure_3.pdf
    • https://cdn.shopify.com/s/files/1/0431/3799/0805/files/converter_to_word_download_free_for_windows_7.pdf
    • https://cdn.shopify.com/s/files/1/0430/4466/7553/files/33670877186.pdf
    • https://cdn.shopify.com/s/files/1/0430/0469/0581/files/31838363284.pdf
    • https://cdn.shopify.com/s/files/1/0431/7341/3028/files/27337054392.pdf
    • https://static.usrfiles.com/ugd/b8c837_de0d5dda4edb472dba0235540f0ebec8.pdf
    • https://static.usrfiles.com/ugd/b8c837_84ffaf7a36a94757a98a5ce6466eac04.pdf
    • https://static.usrfiles.com/ugd/edb4a7_590b938f02884bbb980193683ee5951d.pdf
    • https://static.usrfiles.com/ugd/eb5a6a_a49f2e13de41481e90d553f606cfa48f.pdf
    • https://static.usrfiles.com/ugd/b8c837_a96ba4d53c5d49dcb42b83e3e8453bac.pdf
    • https://static.usrfiles.com/ugd/ce14f3_e9dc08453f2f4fe1b50e2154a5249032.pdf
    • https://static.usrfiles.com/ugd/b8c837_9606e8de32fc4678b6a6a434a3988853.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000887a.bin
73e9fe98769bbe014d91c719ad97f62c10c42307dd27489b3409a9f39a98d79f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x887A 4876 bytes
font_01_sfnt_off000098fa.bin
7288d56432e724a8402cf46a6b9a99d9a7f5d61d9ff98ecb5011a0c7e00ff835		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98FA 17816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.