Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb374d93635815b7…

MALICIOUS

PDF

72.8 KB Created: 2020-09-07 22:57:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4fbfb0dc1621f7c228be79a5e56d30fe SHA-1: cbbf943154177c5702147e15547bcadfc7d0d409 SHA-256: fb374d93635815b70ac3c675ec10bd4f8a7d85213bce879b0273b450a8cd3971
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF file contains a significant number of embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.me/wix?keyword=tileset+platformer+game+maker', which is also listed as a malicious redirector. The presence of a link farm suggests an attempt to distribute malicious content or conduct phishing operations.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=tileset+platformer+game+maker
    • https://static.usrfiles.com/ugd/41f880_090e520ebc704228a25cb1bbd67f3383.pdf
    • https://static.usrfiles.com/ugd/6a4619_b3869f9c85a045e4b264f8383e07d191.pdf
    • https://static.usrfiles.com/ugd/a4e402_11bea8ddd761483a9cdd739a423041cb.pdf
    • https://static.usrfiles.com/ugd/275374_bd79cb316cd8459ba2f5450155b47e3e.pdf
    • https://static.usrfiles.com/ugd/83d902_680610c8c1d648de863d2f8b7aa15335.pdf
    • https://static.usrfiles.com/ugd/e745be_55c7724a8a364c1592fe5b26edbe29f1.pdf
    • https://cdn.shopify.com/s/files/1/0434/0849/0663/files/3460259625.pdf
    • https://cdn.shopify.com/s/files/1/0438/3830/8512/files/old_archie_comics.pdf
    • https://cdn.shopify.com/s/files/1/0433/7706/6145/files/fitaxewebafabuwa.pdf
    • https://static.usrfiles.com/ugd/4c3d6a_2ef4e7a372be4f038dc9d877dd8df4c5.pdf
    • https://static.usrfiles.com/ugd/b8c837_59240b87a2df4a82886d87d09c4257d1.pdf
    • https://static.usrfiles.com/ugd/01f9b9_a328007c1aca402c892b6a9fea84f7a9.pdf
    • https://static.usrfiles.com/ugd/6dcf04_c66e7690d7714a3ea645e795e9f0b0a7.pdf
    • https://static.usrfiles.com/ugd/529ba0_750302ec837849c6bc889a8f63c4f8a7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e184.bin
a6ecc484390a2bae4e8190bd2292eee3277cc43c5883861657c3fd321859e5d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE184 5232 bytes
font_01_sfnt_off0000f344.bin
7d3e8599c228678cb2f6081efafb9c2cb70178aedc3d99f97b94032c2ef15068		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF344 10220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.