Malicious PDF — malware analysis report

Static analysis result for SHA-256 f47064d323d04374…

MALICIOUS

PDF

38.9 KB Created: 2020-08-30 00:49:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3a9617e1f0d08b056553b324b7b62f41 SHA-1: 0b7e3f6789104bf3dcda55bacbe88c89496370a1 SHA-256: f47064d323d043744e2e6375d4400becdf57323c135d6bc6d993b8667a56a7df
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.com/wix?keyword=miley+cyrus+mp3+download+party+in+the+usa'. The document body, though heavily obfuscated, also contains this URL, suggesting a lure to download content. The presence of numerous other PDF links, identified as a link farm, further supports the malicious intent of directing users to external, potentially harmful, resources. No scripts were extracted, but the PDF structure and embedded URLs are sufficient to infer a phishing or redirection attack.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=miley+cyrus+mp3+download+party+in+the+usa
    • https://static.usrfiles.com/ugd/b8c837_12dbbae6700946b2bd35f5b8641ff41c.pdf
    • https://static.usrfiles.com/ugd/07625c_55a51b9fd1234d419fd1c70abcf72e8d.pdf
    • https://static.usrfiles.com/ugd/b8c837_2e3a30113151436e925358d05a45388e.pdf
    • https://static.usrfiles.com/ugd/756799_ca156dc68c9e40c7addc2be0c897fec0.pdf
    • https://static.usrfiles.com/ugd/b8c837_4d9df525fec94099a8c97dcaba23c6f5.pdf
    • https://cdn.shopify.com/s/files/1/0430/7327/4018/files/bozowukidakewasi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gamusuzojikifikukudubug.pdf
    • https://cdn.shopify.com/s/files/1/0456/4651/2295/files/kewukowedabumisufisaf.pdf
    • https://cdn.shopify.com/s/files/1/0435/7311/7091/files/blue_snowball_software.pdf
    • https://static.usrfiles.com/ugd/cafc24_ea5df589a4a04d12ae7a7bc4f397f847.pdf
    • https://static.usrfiles.com/ugd/12f4eb_c10720aa643c40af82c72b26ad8c6dfb.pdf
    • https://static.usrfiles.com/ugd/b8c837_a8de0b5250514b5fb7de2c281ec5ba82.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b86ac5d3a4c43088823d502d87f9643.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057e3.bin
1c597b2c9ee577e317466628888174ec80d1d4a6d0ad24ccdbf22c8a0c4639fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57E3 5676 bytes
font_01_sfnt_off00006b1d.bin
51401c259aeb7168bc917ec4e5541d28d05924a5e025888332f0be0f67026eaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B1D 10564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.