Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5f3c8d1905828e0…

MALICIOUS

PDF

42.0 KB Created: 2020-09-14 06:59:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de1966240f4d4822456b93d2591493af SHA-1: d1eb1bd675490a33f6660175ddc542e0c256ec82 SHA-256: f5f3c8d1905828e03a79ecf220ce7435dbf6e7ab8820e34d8f361cd98fab0637
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to 'ttraff.club'. Additionally, it exhibits characteristics of a PDF link farm, with numerous links pointing to external resources, some of which are hosted on Shopify. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic suggests a lure to trick users into clicking the malicious link. No scripts were extracted from this sample, but the combination of the malicious redirector and the download button lure strongly indicates a phishing or scam attempt.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=kiwami+2+how+to+play+koi+koi
    • http://files.armonklions.org/uploads/1/3/1/3/131383251/a396dbacf0ca.pdf
    • https://cdn.shopify.com/s/files/1/0461/0238/0708/files/70613155308.pdf
    • https://cdn.shopify.com/s/files/1/0484/3637/9816/files/best_cv_template_latex.pdf
    • https://cdn.shopify.com/s/files/1/0430/5849/5639/files/another_day_of_sun_sheet_music_free.pdf
    • https://static.usrfiles.com/ugd/6290de_a904c6fb8d334326b17f104f51f18bc7.pdf
    • https://static.usrfiles.com/ugd/4cf28d_3867e19aff01490387672ca548aafd4a.pdf
    • https://static.usrfiles.com/ugd/204f4f_8350f3a9dc4e4f4882ae81909aa11471.pdf
    • https://static.usrfiles.com/ugd/a01749_053e6d94aa5640b19d3da93c58c020ff.pdf
    • https://static.usrfiles.com/ugd/891219_0c2ac4e4cc414c93a5a72de83a98d4f2.pdf
    • https://static.usrfiles.com/ugd/76156b_7f732139f3784bbbb0c23f284b5e5ab4.pdf
    • https://static.usrfiles.com/ugd/64db51_8f82abbd9a894278961700355920339c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b32.bin
a9429cca73c1da1db8ad1d8dddb48f04770d6dc863c1d24be2206f5d3e2b7b2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B32 3248 bytes
font_01_sfnt_off000066d7.bin
67ba6ae1616138226f4b7243a3ebf9e2e1ec19e57b13fc473333efe5a5076307		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66D7 5144 bytes
font_02_sfnt_off00007851.bin
6277509a1bbfad9117730d659e2bd02df76344696bbdad9459016c5cc74f979a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7851 10328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.