Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdfc2b41ebed8433…

MALICIOUS

PDF

53.8 KB Created: 2020-09-22 03:58:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a87a0c72a7f062a4bebf0471301a712 SHA-1: 166d701e359a22e99fb04f10d65d4d5415131e3f SHA-256: fdfc2b41ebed843364ea77af414134ff05c30d03c66fc5446a821fd4826cab51
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=understanding+architecture+leland+roth+pdf+download'. Additionally, another critical heuristic indicates a PDF link farm, with numerous external links, one of which is 'https://4219db36-8463-43cf-a12a-8c79e2def44d.filesusr.com/ugd/b91392_eb0b21d314294f9e89fb673e6af532a7.pdf?index=true'. The document body, though heavily obfuscated, contains the same URL as the malicious redirector, reinforcing the attack vector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=understanding+architecture+leland+roth+pdf+download
    • https://4219db36-8463-43cf-a12a-8c79e2def44d.filesusr.com/ugd/b91392_eb0b21d314294f9e89fb673e6af532a7.pdf?index=true
    • https://5bccd467-6cae-4ff7-aa99-1c75cecb474f.filesusr.com/ugd/24deb6_a20d6ee12bf34bd2aa75f272db9b0254.pdf?index=true
    • https://efa713b6-9010-4c61-9495-8c7b223e1b8d.filesusr.com/ugd/964009_2862e1015721418582b0622e3fdd1f47.pdf?index=true
    • https://e5a7b0d5-8b20-482e-affb-a764c3d8179d.filesusr.com/ugd/de60da_3c32636ded2a441ba78ee15fdc219ade.pdf?index=true
    • https://9735720b-9d7b-4966-86b6-b6be15d05b68.filesusr.com/ugd/804ff6_060dbbc036fd4c2c928866e626b8a05d.pdf?index=true
    • https://36eca8dd-6f7b-49da-a5f8-3879568fff3b.filesusr.com/ugd/a13bc2_0c2d9ae956b9499bb956b36189c44689.pdf?index=true
    • https://55d1ba2e-eb59-4014-ba7a-fae563feeab7.filesusr.com/ugd/9e14ca_98230aa06ce744bfb5547510bfc95fa7.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mowojemabedeju.pdf
    • https://cdn.shopify.com/s/files/1/0431/5673/4109/files/27665161.pdf
    • https://cdn.shopify.com/s/files/1/0431/7406/8390/files/femivevexosovizenevafizag.pdf
    • https://cdn.shopify.com/s/files/1/0438/6449/0149/files/dofe_assessors_report_gold.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000090e4.bin
562c6a56ea68e352fee1f61664e4f314016d2393be0bd4d2eb42d08510220b62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90E4 5500 bytes
font_01_sfnt_off0000a3ad.bin
37dde8fa9d64e0838645cd556e0d82d38871013307c2d746388ef733e247a23c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3AD 11420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.