Malicious PDF — malware analysis report

Static analysis result for SHA-256 f33d98987ba0c66d…

MALICIOUS

PDF

58.0 KB Created: 2020-08-12 03:45:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 908d6db200196e6d7edfa1452e57ca71 SHA-1: a5640eb3fb62727d1053d78c205b8ee822b6d4a1 SHA-256: f33d98987ba0c66de5dd9d85b1d4cde758a78c7fe45a823ece89600be5d6be45
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. Additionally, it exhibits a PDF link farm, suggesting an attempt to manipulate search engine results or distribute multiple malicious links. The document body, though heavily obfuscated, contains the target URL, reinforcing the lure. The primary intent appears to be redirecting the user to a malicious site via the embedded link.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=23%20bus%20schedule%20nfta%20pdf
    • http://files.sabrinaeisenbarth.com/uploads/1/3/1/3/131378776/4081339.pdf
    • http://files.mrscoryellisawesome.com/uploads/1/3/1/4/131411539/konavomadavobutera.pdf
    • http://toxifeb.mr-nash.net/uploads/1/3/1/3/131380005/zivoleke.pdf
    • http://files.linkedseattle.com/uploads/1/3/0/7/130775017/fizibezominebipef.pdf
    • https://cdn.shopify.com/s/files/1/0440/7879/2869/files/gozuponotiwadudezumun.pdf
    • https://cdn.shopify.com/s/files/1/0434/6596/5718/files/78044156954.pdf
    • https://cdn.shopify.com/s/files/1/0434/6868/5464/files/80127430760.pdf
    • https://cdn.shopify.com/s/files/1/0429/8774/9525/files/tupetofew.pdf
    • https://cdn.shopify.com/s/files/1/0434/3159/2102/files/visa_application_form_to_enter_japan_download.pdf
    • https://cdn.shopify.com/s/files/1/0432/8954/2809/files/44953872289.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mevadijuxirefasu.pdf
    • https://cdn.shopify.com/s/files/1/0449/1457/3467/files/encyclopdie_marvel_universe.pdf
    • https://cdn.shopify.com/s/files/1/0429/3355/1260/files/93170816550.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a6a7.bin
89ba636b669b3865af4968292bb01534e731c42c760e94052bc6ed7fb31a18f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA6A7 5488 bytes
font_01_sfnt_off0000b937.bin
d4c099f156c382c2cc13ac1ab81fc8de41ebbda184097b692bfcac698a04bdfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB937 9980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.