Malicious PDF — malware analysis report

Static analysis result for SHA-256 eff278d201c3c317…

MALICIOUS

PDF

45.9 KB Created: 2020-08-07 05:40:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a5b7128bf83c3eec2b5486cc6043b4bb SHA-1: fe6c097e87084341932f20e43bd45a8c2dba5f14 SHA-256: eff278d201c3c3179e03526c71c81f3bf631b62cae85bea991dce94e911de754
208 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous links, including a critical redirector link to 'ttraff.cc', suggesting a social engineering lure. The document body and heuristics indicate a lure for a 'PDF to Word converter', combined with lures for remote support tools and browser extensions. This suggests the primary goal is to trick the user into downloading and executing a malicious payload, potentially for credential theft or further malware installation. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=pdf+to+word+converter+arabic+free+download
    • http://files.hiebar.com/uploads/1/3/0/8/130874369/wosavuvewoviz_rukazalesaw.pdf
    • http://files.stpaulautomation.net/uploads/1/3/0/9/130969573/korimoz.pdf
    • http://files.kellermarkethouse.org/uploads/1/3/2/7/132741144/887391.pdf
    • https://cdn.shopify.com/s/files/1/0432/0142/9662/files/17942682418.pdf
    • https://cdn.shopify.com/s/files/1/0431/8170/3319/files/69891712779.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6965/files/751776448.pdf
    • https://cdn.shopify.com/s/files/1/0436/1430/6467/files/university_of_south_alabama_map.pdf
    • https://cdn.shopify.com/s/files/1/0450/6717/4040/files/morfologi_chrysomya_bezziana.pdf
    • https://cdn.shopify.com/s/files/1/0436/1791/0941/files/bipuvivilovizu.pdf
    • https://cdn.shopify.com/s/files/1/0428/8679/1334/files/butimajuk.pdf
    • https://cdn.shopify.com/s/files/1/0434/3287/0044/files/chicago_bulls_starting_lineup.pdf
    • https://cdn.shopify.com/s/files/1/0434/6265/6152/files/luxanozifitopad.pdf
    • https://cdn.shopify.com/s/files/1/0428/2833/3219/files/lowes_lufkin_tx.pdf
    • https://cdn.shopify.com/s/files/1/0432/7761/5270/files/85544366950.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007710.bin
cb359a537d72b39ac4b24541f3f7fe12b77159415523058611e7c613033ecd60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7710 5128 bytes
font_01_sfnt_off000088ad.bin
c61996a57b79ae62dc6251668838b6885ae875610be13f41b6662042dab7a9da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88AD 9964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.