Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5dd3b006e444fde…

MALICIOUS

PDF

45.4 KB Created: 2020-08-22 19:59:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 850b4865a1d3cd16a8eb2733aad97daa SHA-1: 758914354c1d18174093eae6ab3f76c7a4bb2749 SHA-256: f5dd3b006e444fdedd2a834dc99c5cc095ddbddbf052b11059ef518254cab618
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, with one identified as a malicious redirector. The primary malicious URL is https://ttraff.com/pify?keyword=tsc+adverts+august+2019+pdf. The document body and embedded links suggest a lure related to 'tsc adverts', potentially a scam or phishing attempt. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=tsc+adverts+august+2019+pdf
    • http://files.primepropertiescebu.com/uploads/1/3/0/8/130814101/74713edb1f.pdf
    • http://files.lthbconsulting.com/uploads/1/3/1/4/131438557/e5315e606cf.pdf
    • http://bisuxanim.beavertalescoffee.com/uploads/1/3/1/3/131378779/ladevi.pdf
    • http://naragela.spencermanbullies.com/uploads/1/3/0/7/130775219/sewewafex-jozovuzexuna.pdf
    • http://files.jari-massage.com/uploads/1/3/0/9/130969728/dozujosavofegesimu.pdf
    • https://cdn.shopify.com/s/files/1/0427/3196/2535/files/pidiratilitotew.pdf
    • https://cdn.shopify.com/s/files/1/0437/1451/1001/files/92244760585.pdf
    • https://cdn.shopify.com/s/files/1/0432/2299/1007/files/6238675891.pdf
    • https://cdn.shopify.com/s/files/1/0435/0391/1076/files/baseband_shaping_for_data_transmission.pdf
    • https://cdn.shopify.com/s/files/1/0433/4275/8056/files/principles_of_economics_case_fair_oster.pdf
    • https://cdn.shopify.com/s/files/1/0454/7146/5624/files/riwebazemebozijitikunima.pdf
    • https://cdn.shopify.com/s/files/1/0450/7149/9416/files/51376126588.pdf
    • https://cdn.shopify.com/s/files/1/0432/0159/3507/files/juserofobop.pdf
    • https://cdn.shopify.com/s/files/1/0438/5662/5829/files/40399429896.pdf
    • https://cdn.shopify.com/s/files/1/0432/6457/3593/files/xavuluzerumomud.pdf
    • https://cdn.shopify.com/s/files/1/0432/5765/9547/files/2495472719.pdf
    • https://cdn.shopify.com/s/files/1/0437/6284/3797/files/rijomexa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0065/1158/files/convert_set_item.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000685f.bin
10035ce3c1657360ad34a9925120c2261e17df12c257841b6b9c1e1377de64df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x685F 5780 bytes
font_01_sfnt_off00007c25.bin
4574f85f4575627fe523f04a0f2daae207dd46f979d214bafb8fed57e4b33739		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C25 14268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.