Malicious PDF — malware analysis report

Static analysis result for SHA-256 f48fee012bf9f1b8…

MALICIOUS

PDF

63.5 KB Created: 2020-09-18 05:13:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a21f23d7a45c858d675bc829baa97d0 SHA-1: b09ab267536ef76081b5367013cfddcbd8af0d42 SHA-256: f48fee012bf9f1b81477a7481509e108fc795eab0bd67ca139872af401f41aa4
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically `https://ttraff.me/wix?keyword=troy+bilt+tb230+owners+manual`, which is presented as a Troy-Bilt TB230 owner's manual. The document also exhibits characteristics of a callback phishing lure, suggesting a social engineering pretext. Numerous other embedded URLs were extracted, many pointing to benign-looking PDF files, but the primary malicious link is clear.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=troy+bilt+tb230+owners+manual
    • http://golaxi.supportersofoperasingers.org/uploads/1/3/2/6/132683286/96bfd88e7ab160c.pdf
    • http://sibifub.wisconsinrailroadbooks.com/uploads/1/3/2/6/132682076/d07e00733.pdf
    • http://malepuve.daytonffa.com/uploads/1/3/0/8/130874002/bizitowukul.pdf
    • http://files.englishin6months.com/uploads/1/3/1/0/131070459/91a1bb8b.pdf
    • https://7ecb7085-8597-4757-bbb0-0f21b3838d8a.filesusr.com/ugd/c33f71_59692cd95c524b0f8766676cad1f4248.pdf?index=true
    • https://04bdb614-16e7-4a44-ac99-b09b8693dbb1.filesusr.com/ugd/418e76_80bd2ce159fb4b75b676967a74563401.pdf?index=true
    • https://c96d09ac-02b8-4f36-bb47-0b5ef0a1ccef.filesusr.com/ugd/1c8c1e_b6ef81733f9449a3aa0bb507b83325ec.pdf?index=true
    • https://2ad73734-3889-42d6-9afc-955dffdde087.filesusr.com/ugd/7a13df_c50f438e81394799bcb75d4dbad493f7.pdf?index=true
    • https://5bacaf20-2745-40bc-88bf-c90c8a71410e.filesusr.com/ugd/39cb9d_d30d0f0329af442188ab317a6d6b1097.pdf?index=true
    • https://3223f3b1-6d3d-46a0-9a14-ba7886afdb40.filesusr.com/ugd/5ea4d5_da0417e012434a5c97a58640325e4e1a.pdf?index=true
    • https://c44a77cd-a5ee-4637-be3b-9679eb85c0fb.filesusr.com/ugd/d90490_84a426d6dd6d4226b03ee329b4b414ac.pdf?index=true
    • https://06662103-dafe-4aaf-9b0c-1ff2e660b8bb.filesusr.com/ugd/bca722_f7bf57b58ac64e39984c12c8fafba6d7.pdf?index=true
    • https://ee3ce0fe-524f-41c7-a5e5-725c50242fc8.filesusr.com/ugd/c638b7_cabdfa63f4174d80b334c873b3fbee34.pdf?index=true
    • https://257dee26-dc91-4325-90b2-2bf66d249a27.filesusr.com/ugd/314c35_02b06dc007e047f4835cbe60ee120ec1.pdf?index=true
    • https://9619fce4-0e27-4ba3-b014-b733d1bb37fa.filesusr.com/ugd/7fedcf_24d40c9e82314603bcee840426d5be08.pdf?index=true
    • https://fb0283d6-50be-48cc-b989-59d05e36dd6a.filesusr.com/ugd/78daac_313ff3c235554bd1a30ce30b1c15e4e7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000abf1.bin
b245aaeb001519371a43c44f8c4fb4a09ef091f1c0b266e57d3947befa80a02d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xABF1 5436 bytes
font_01_sfnt_off0000be63.bin
b6e8ce8d3a780c23eb40fd8804865f1451cb81b103bc86614de9febc87165a43		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE63 10704 bytes
font_02_sfnt_off0000e2f3.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2F3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.