Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef8d36143b3eb7d6…

MALICIOUS

PDF

47.8 KB Created: 2020-09-04 20:00:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef844147839d67b1cf2787ef385d9d56 SHA-1: 9754e1fa07f0a7b42bdf475d3520601125c00f8a SHA-256: ef8d36143b3eb7d6d4dff7bcbd00a6ccaf8fd4bd828e6410e4d21404f21ae7c8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a prominent link to 'ttraff.club', which is flagged as a malicious redirector. The document body, though heavily garbled, contains the same URL and mentions 'Showbox for my android phone', suggesting a lure for a potentially unwanted or malicious application. The presence of a "download button" heuristic and a "callback lure" further supports a phishing or scamming intent. The PDF also hosts a large number of external links, many pointing to benign files, but the primary malicious redirector is the key indicator.

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=showbox+for+my+android+phone
    • https://static.usrfiles.com/ugd/8de238_9a7e01268a85404e992b1af3f38bcefe.pdf
    • https://static.usrfiles.com/ugd/b8c837_4b522b4db0354ce3b6b1b87d5fc3bc7c.pdf
    • https://static.usrfiles.com/ugd/fd4c29_bde8065e549443a78557583791e392be.pdf
    • https://static.usrfiles.com/ugd/97634b_a234e5028b5f401d88a2e478ddd65a61.pdf
    • https://cdn.shopify.com/s/files/1/0427/6820/3942/files/94355294943.pdf
    • https://cdn.shopify.com/s/files/1/0432/4530/6011/files/pesopigoxopejo.pdf
    • https://cdn.shopify.com/s/files/1/0434/6393/4109/files/totanenitur.pdf
    • https://cdn.shopify.com/s/files/1/0434/5528/3352/files/81015836615.pdf
    • https://cdn.shopify.com/s/files/1/0450/3525/8020/files/pufomosaxerufev.pdf
    • https://static.usrfiles.com/ugd/b0cb2d_818d9d9a6b7648258523ced00953db67.pdf
    • https://static.usrfiles.com/ugd/e49726_95cdf52bc48f4595bc74f0a685c04694.pdf
    • https://static.usrfiles.com/ugd/7f16bd_adca5f5ebffa4cad86077a94be4cc860.pdf
    • https://static.usrfiles.com/ugd/dd6616_f66bf45b77284b38b635bd6c6dc986fe.pdf
    • https://static.usrfiles.com/ugd/0aab01_997a0028d53c47368c20b33ca513d801.pdf
    • https://static.usrfiles.com/ugd/b8c837_5c5d0e8ef8cc449fb11bb7d577dc25a8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d92.bin
7b9852e51dbff5f4812f3ba01359564741ddd7836a348137127dc91a981dd356		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D92 5284 bytes
font_01_sfnt_off00007f6b.bin
da25bf69981acb27f1ab6f449e050b851baf007270dcbbab26c57521a8deef9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F6B 10840 bytes
font_02_sfnt_off0000a3a6.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3A6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.