Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b0fb5b9fd1aba58…

MALICIOUS

PDF

41.1 KB Created: 2020-09-18 03:09:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 76431a270d5aed3a185c429619bda07e SHA-1: 901f9a7918ec5d5d0d7b23ff6d47c2b47f325177 SHA-256: 1b0fb5b9fd1aba58a28f90ae20cee8838b1b2d563d61468313b1f0ad96a011a9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. This link is designed to lure users into downloading content, as suggested by the 'lg lcd tv service manual free download' keyword. The PDF also contains a mass external link farm, with many links pointing to Shopify domains, likely for SEO manipulation to increase visibility. The primary malicious IOC is the ttraff.link redirector.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=lg+lcd+tv+service+manual+free+download
    • https://cdn.shopify.com/s/files/1/0486/1286/8264/files/29003389172.pdf
    • https://cdn.shopify.com/s/files/1/0429/9672/7957/files/jokivexebugipajesetuxir.pdf
    • https://cdn.shopify.com/s/files/1/0432/8200/6171/files/fatixejijipogedelajorekiz.pdf
    • https://eb24efe3-2a3f-4725-8d29-2c7ec8576527.filesusr.com/ugd/a91264_677fb12383334325ad6b9c059f12b098.pdf?index=true
    • https://7ff505c4-1556-4405-8e5f-5d6c3b115bb8.filesusr.com/ugd/fef806_56c50805bd80479dab74d4bb345c0874.pdf?index=true
    • https://825217b2-edc4-4e7a-839b-c308b9c33a68.filesusr.com/ugd/2994dd_9e0e34a7fad94b0fa4b20d5757efcb4a.pdf?index=true
    • https://e645c0a7-0526-4f3e-8074-8993f1580220.filesusr.com/ugd/0a51c1_2ba74968ab18419e91beb9233ec312a7.pdf?index=true
    • https://1f5ba36e-14f1-4668-aff5-fed4f1dbc84d.filesusr.com/ugd/724fb5_99de960f72074be59d014d43c0356adb.pdf?index=true
    • https://d0af2e0d-e4dd-4e87-8c5a-7f810eda9133.filesusr.com/ugd/49be48_35020b2b8064462e9b22b11af6c229f3.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0429/5216/3482/files/movuj.pdf
    • https://cdn.shopify.com/s/files/1/0432/6588/4313/files/whatsapp_in_my_samsung_z2.pdf
    • https://cdn.shopify.com/s/files/1/0479/1615/5047/files/lazejigunurelobodor.pdf
    • https://cdn.shopify.com/s/files/1/0433/6313/9733/files/zadevadurezexisexelag.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000629b.bin
cc46b5e1dbd8607c1ab42e9db6d3d10b116dc9725a9c7cc06a03f05743ac62f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x629B 5432 bytes
font_01_sfnt_off0000751b.bin
c21d97091097bc1a728577de752aac335ba4534334d1291342b6303cb542b579		 pdf-font-stream PDF embedded font (sfnt) at offset 0x751B 10012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.