Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee4e46025b427df4…

MALICIOUS

PDF

125.5 KB Created: 2020-09-19 18:14:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6d79897b333aeafabd7e3a861d77ea3 SHA-1: f67b9225fbad754e6c5120197514fdd33ccfb160 SHA-256: ee4e46025b427df4a96662c5cd9dc40a43ece218ddf4de3d51385ae7b801bcad
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/wix?keyword=chromium+android+apk'. This, combined with the 'SE_BROWSER_INSTALL_LURE' and 'SE_PASSWORD_ARCHIVE_LURE' heuristics, indicates a social engineering attack. The document likely attempts to trick the user into downloading and installing malicious software disguised as a browser update or by providing a password for a seemingly legitimate archive. The presence of a link farm also suggests an attempt to manipulate search engine results or distribute content widely.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=chromium+android+apk
    • https://40cd007f-c1d2-4b5a-ab36-e24ed6b3c294.filesusr.com/ugd/238140_df14e857ee174bd6800d805a825ba32f.pdf?index=true
    • https://5c2bb34f-7880-4910-b607-19b8f5c29be3.filesusr.com/ugd/65d6f7_f1d58701f3664f24a237e175bf5f4038.pdf?index=true
    • https://457a1a88-cb77-4fd2-ac63-e0c1874f0c8c.filesusr.com/ugd/3a38e0_5439916c8bcf48f09638893e80a37cd4.pdf?index=true
    • https://a8ce9b4a-c484-4663-b05e-fa1b7a579436.filesusr.com/ugd/3402b1_f44bdaf1d95444ecb382a9c54b561af8.pdf?index=true
    • https://2aee9fa2-a69d-492d-bb85-ac3b486f6108.filesusr.com/ugd/d31907_e008b2ad7482477c8c9eb4968968482d.pdf?index=true
    • https://c502626b-85bb-42f2-8c02-ead86d082df5.filesusr.com/ugd/704f6c_dcf689f9696f4d8281faacb5478d2c46.pdf?index=true
    • https://6545e106-64f2-4a20-83ca-d6374eba8fce.filesusr.com/ugd/d19ca0_f591f6fb52a04544b1845ebb4ce4e576.pdf?index=true
    • https://56bd5f50-d1f8-44e7-8b04-d7a3df5e99d4.filesusr.com/ugd/d61b30_fb4d1b09b0f74ddbade4152aaec113ff.pdf?index=true
    • https://6836cda3-3a09-47f8-b36a-c514b3b08208.filesusr.com/ugd/de02f3_c43d37783a4c4d508b395fe4701ec7d4.pdf?index=true
    • https://280f23e8-a4b3-4421-af14-3149f500e826.filesusr.com/ugd/8c7d07_ce31fd53d3f747c682427f9a51e51e8b.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/0133/9304/files/stored_procedure_and_function_in_sql.pdf
    • https://cdn.shopify.com/s/files/1/0429/7188/9817/files/call_of_duty_mobile_game_revdl.pdf
    • https://cdn.shopify.com/s/files/1/0429/7339/7145/files/belajar_bahasa_arab_untuk_anak.pdf
    • https://cdn.shopify.com/s/files/1/0436/1909/0595/files/acura_tl_type_s_manual_transmission_car.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://a8ce9b4a-c484-4663-b05e-fa1b7a579436.filesusr.com/ugd/3

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00019092.bin
3f21729789822475406f73dc64640d90ad819f362b3555ccde4151d5e6fe6dcc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19092 4960 bytes
font_01_sfnt_off0001a13a.bin
341a51d1ed9488edf352e1a09e0cc567483f8b7fedb8d5bfd9b6995ef0287c2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A13A 15900 bytes
font_02_sfnt_off0001d393.bin
aad9bc0f36eadc3314e08670b59090120051e308b357201f134af3d0b781b2b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D393 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.