Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecfcb055a80715e0…

MALICIOUS

PDF

56.6 KB Created: 2020-09-18 17:55:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e50abed377f1929633ab498ee6769c0 SHA-1: a50a27599f30497f947bdc262b88a91add49e4c3 SHA-256: ecfcb055a80715e0933f38ee33f408c8b204cb8745f01897a5c37a5f4005ec72
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm designed to redirect users to various PDF documents, one of which is presented as a download for a music album. The primary malicious URL identified is https://ttraff.me/wix?keyword=download+bigbang+made+full+album+rar, which likely leads to further malicious content or phishing attempts. The presence of numerous links and the deceptive content suggest a social engineering tactic to distribute malware or lead users to malicious websites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=download+bigbang+made+full+album+rar
    • http://kizobel.careyreidkirkinc.com/uploads/1/3/0/8/130813668/gawarixasulowe.pdf
    • http://bixit.evolutionarytransformationsgroup.com/uploads/1/3/2/8/132815342/megumugewolit.pdf
    • https://caa35483-358f-4deb-b2c0-6342bd4fd122.filesusr.com/ugd/0d018b_c37ab0158041437c8f1a9a07852cda16.pdf?index=true
    • https://864db619-bac3-4619-954e-ec94d76c889e.filesusr.com/ugd/4ae4db_c42e127e0e544b888796524706f26834.pdf?index=true
    • https://e64cfaac-0570-420b-bdd2-6e9f4c2291b2.filesusr.com/ugd/97aff7_80cb7f9ebde342dd933059bf6db3f15f.pdf?index=true
    • https://78b4f21e-2595-4ffc-9d88-bb3e577f853b.filesusr.com/ugd/8c0e65_77497eb043e946608ce5c8aa6acf8d73.pdf?index=true
    • https://ec5d8283-5502-435d-a067-93b4be540a32.filesusr.com/ugd/3a38e0_e7543ddd0f0a4adeb9946229dac5be4d.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0431/4395/4594/files/winowepipakonelafe.pdf
    • https://cdn.shopify.com/s/files/1/0434/0187/1512/files/malthusian_theory_of_population_growth.pdf
    • https://cdn.shopify.com/s/files/1/0432/4016/1435/files/harmonic_motion_worksheet_answers_chapter_11.pdf
    • https://cdn.shopify.com/s/files/1/0429/6962/8828/files/skyward_sword_iso.pdf
    • https://cdn.shopify.com/s/files/1/0435/9471/1203/files/nytimes_crosswords_answers.pdf
    • https://cdn.shopify.com/s/files/1/0430/6426/2818/files/83750512605.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d98.bin
73f9bcda116c14e9f6f0922419930f70c5d7988fe26f04202bcc6a4e70f6874c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D98 5996 bytes
font_01_sfnt_off000071ad.bin
8f73e5e08a0b49f234b387bda5ee6560281410a5eed2470bf27916b0d85c8812		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71AD 5280 bytes
font_02_sfnt_off0000839d.bin
c8a4b624aa519125eecca1d09433a7591e143f63a35c4bf6a814c5f7bb285ea6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x839D 7024 bytes
font_03_sfnt_off00009661.bin
07d281f6b444dadee48a09d7bf8ae218dbca9946dae6dcaa0cc92e9512b79263		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9661 11844 bytes
font_04_sfnt_off0000be48.bin
25e1c06bb4773ad6d1bdfbb8a90d9f84dd59580a6d6a2062e975f4d8b5ec230f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE48 16472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.