Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1ae0cfc4f4f4fd0…

MALICIOUS

PDF

56.0 KB Created: 2020-08-31 01:27:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ba98353af09db47bf09a4c83dc6a59b SHA-1: 7a9cfd3442634bce6b0f5caa7317c3e87124eeb9 SHA-256: f1ae0cfc4f4f4fd0b4d7e9b7c958f8e4ce766fc0c8ce041c2fa0528a2dc1ec30
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains multiple embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a search query, suggesting a lure to trick users into clicking the malicious link. The primary malicious URL identified is https://ttraff.cc/wix?keyword=shiva+ashtothram+in+telugu+free+down, which is likely used to redirect the user to a further malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=shiva+ashtothram+in+telugu+free+down
    • https://cdn.shopify.com/s/files/1/0433/9345/0134/files/science_dictionary_app_for_android_free.pdf
    • https://cdn.shopify.com/s/files/1/0440/7099/4085/files/rifibanokizadixagukizufo.pdf
    • https://cdn.shopify.com/s/files/1/0433/8201/4108/files/bohat_tta_chud_tta_download.pdf
    • https://cdn.shopify.com/s/files/1/0439/7400/0798/files/6248509002.pdf
    • https://cdn.shopify.com/s/files/1/0434/2104/0789/files/xeworonaseguwelewalazunad.pdf
    • https://static.usrfiles.com/ugd/b8c837_daf4ec05f5bf402faf6d38e30f2777ea.pdf
    • https://static.usrfiles.com/ugd/b8c837_e5a80f47e18540c9970a3db75374a0a2.pdf
    • https://static.usrfiles.com/ugd/b8c837_ec80e12df15e4f289b8c212a7c91ffeb.pdf
    • https://static.usrfiles.com/ugd/b8c837_d4331bf6850348ae97cdea7eee0664fe.pdf
    • https://static.usrfiles.com/ugd/80c1db_634a220ed95649c2a173f7170e2da2e4.pdf
    • https://static.usrfiles.com/ugd/b8c837_43d352a308e04bdf91c55196a9063abb.pdf
    • https://static.usrfiles.com/ugd/b8c837_080ec4ffa03b4f358c3fdd87102182c3.pdf
    • https://static.usrfiles.com/ugd/10a4aa_0287a5e0b4bb41418d72f5237bc251ed.pdf
    • https://static.usrfiles.com/ugd/bb13a2_f6487a6197fc4847b11d3685eaf62b6e.pdf
    • https://static.usrfiles.com/ugd/ab922d_cc7df9e95f0c4c5b9852c3561414fd54.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a0a7.bin
554afe009b0239877fb16deec14c809726ba0aa95cd370c09365e3272304e284		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0A7 5576 bytes
font_01_sfnt_off0000b385.bin
9ec0321a2427496f8275e52f6e2a01c108b85811f710591306ac1e28d1f73518		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB385 12628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.