Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe1ede742ed88c7c…

MALICIOUS

PDF

44.6 KB Created: 2020-09-05 02:28:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 50a069c58610f5a908ca139ac4260b4a SHA-1: 25ed2c478847f9c3a41569bd72413420a3b969ff SHA-256: fe1ede742ed88c7c203fc6ab01da01c3b86a83c8cfed66340954bb10b1810788
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a link that redirects to a known malicious URL, disguised with a keyword suggesting a formal appreciation email. The document also features a large number of embedded links, many pointing to static hosting services, which is characteristic of SEO poisoning or link farm tactics. The primary malicious link is https://ttraff.link/wix?keyword=formal+appreciation+email+format, which likely serves as a gateway to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=formal+appreciation+email+format
    • https://static.usrfiles.com/ugd/0cd3a8_8155e31bc48b42f7a9aff9a40fd9a743.pdf
    • https://static.usrfiles.com/ugd/c345b0_abeacf884a93412bb712a41eb52eba20.pdf
    • https://static.usrfiles.com/ugd/cacfd7_bfcd9ee6703647d380714ddb1ad1a44e.pdf
    • https://cdn.shopify.com/s/files/1/0454/7198/9926/files/croatia_rough_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/8732/2522/files/atex_directive_1999_92_ec.pdf
    • https://cdn.shopify.com/s/files/1/0461/1358/7363/files/midwifery_definition.pdf
    • https://cdn.shopify.com/s/files/1/0428/1411/1903/files/74017315355.pdf
    • https://cdn.shopify.com/s/files/1/0432/6857/1294/files/tijelisolapoviguxedoweweg.pdf
    • https://static.usrfiles.com/ugd/4b68be_79cfa5e016304ca0a2d7e130bae85203.pdf
    • https://static.usrfiles.com/ugd/2b3f46_43102aae36984a31bd4cc0feaaaf8c4b.pdf
    • https://static.usrfiles.com/ugd/b8c837_190d8abef2c64a88b1d03a9bea354686.pdf
    • https://static.usrfiles.com/ugd/10b11f_620117a1c8184a58bcfb2f825071d38c.pdf
    • https://cdn.shopify.com/s/files/1/0439/9346/4990/files/panera_bread_job_application.pdf
    • https://cdn.shopify.com/s/files/1/0430/5872/5018/files/47109881067.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ff4.bin
64e6fa167b5d4b3dee0aa8625eb10090e2a5601e09d6a1c70a384c10b5729667		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FF4 4724 bytes
font_01_sfnt_off00006fde.bin
a2b744e536220e6179d2cdeec7e343aae0909b63b4a06dedb5a84f13c1bbe0ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FDE 12412 bytes
font_02_sfnt_off00009799.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9799 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.