Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d029588bc2b5e93…

MALICIOUS

PDF

46.4 KB Created: 2020-08-16 16:05:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe5674d41df6551d68386aaedbca9835 SHA-1: 198032b2320fa4cbcce42bc5eb6b1b1f2c3a608d SHA-256: 1d029588bc2b5e9392e617b697aee5374ef046750e8548343ff153a4ee77f518
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a deceptive link presented as a download for 'free music theory worksheets for guitar'. This link, 'https://ttraff.cc/pify?keyword=free+music+theory+worksheets+for+guitar', redirects to malicious infrastructure, indicating a phishing or malware distribution attempt. The document also exhibits characteristics of a link farm, with numerous embedded links, many pointing to Shopify domains, likely for SEO manipulation to increase visibility. The presence of a visual download button further supports the lure.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=free+music+theory+worksheets+for+guitar
    • http://zokelele.cornerstone-civil.com/uploads/1/3/1/4/131453134/83585.pdf
    • https://cdn.shopify.com/s/files/1/0431/0184/7708/files/pujefanazegener.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/benivat.pdf
    • https://cdn.shopify.com/s/files/1/0440/7577/8198/files/sims_3_fairy_wings_replacement.pdf
    • https://cdn.shopify.com/s/files/1/0429/0461/7119/files/skf_double_row_taper_roller_bearing_catalogue.pdf
    • https://cdn.shopify.com/s/files/1/0431/9323/7665/files/lagakazokuxusasur.pdf
    • https://cdn.shopify.com/s/files/1/0432/6775/2100/files/57925076901.pdf
    • https://cdn.shopify.com/s/files/1/0429/4279/1839/files/50915682491.pdf
    • https://cdn.shopify.com/s/files/1/0437/7490/2423/files/bufig.pdf
    • https://cdn.shopify.com/s/files/1/0437/8329/1029/files/vietnam_war_books_free.pdf
    • https://cdn.shopify.com/s/files/1/0432/9262/3001/files/46435012407.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000772e.bin
594ad8d652e4b4c0cfe24509a033f21c3528da7f2d5928eb875596eee3f4fd46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x772E 5476 bytes
font_01_sfnt_off000089c6.bin
a5a9e30126ba50bb1aef27e6009d07bcb0aee274d667978e6290b618325c85ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89C6 10284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.