Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d35722522540f61…

MALICIOUS

PDF

38.5 KB Created: 2020-08-25 02:01:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ffd9b039d01c0d502b52f640ca66e77 SHA-1: 56efbbae92ee286e4a0d69833ae8a479476c8214 SHA-256: 1d35722522540f61a9e0b7a03e2b2163603808cdd6cb42d3e0bc3a62a66ba5d6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm and a direct link to a known malicious redirector, ttraff.com. The document body, though heavily obfuscated, contains the same lure text 'alcoholic whatsapp status video' and the malicious URL, indicating an attempt to drive traffic to malicious infrastructure. The presence of numerous links to shopify.com PDFs suggests a tactic to artificially inflate search engine rankings or distribute malicious content through seemingly benign links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=alcoholic+whatsapp+status+video
    • http://files.copyslutband.com/uploads/1/3/1/3/131398374/1c4534b8b036f6.pdf
    • http://files.jessiedallasdesigns.com/uploads/1/3/0/7/130739084/jawibim.pdf
    • https://cdn.shopify.com/s/files/1/0429/3197/8403/files/r_programming_assignments.pdf
    • https://cdn.shopify.com/s/files/1/0432/8911/6836/files/64907398388.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/xodowowesibaxen.pdf
    • https://cdn.shopify.com/s/files/1/0435/3956/2651/files/14972335216.pdf
    • https://cdn.shopify.com/s/files/1/0429/8981/3909/files/milani.pdf
    • https://cdn.shopify.com/s/files/1/0435/2029/5064/files/49739620325.pdf
    • https://cdn.shopify.com/s/files/1/0433/0012/6885/files/jevukexizazipotigupasuboj.pdf
    • https://cdn.shopify.com/s/files/1/0430/3604/9571/files/naselawo.pdf
    • https://cdn.shopify.com/s/files/1/0430/1121/1417/files/vehicle_lease_agreement_template_bc.pdf
    • https://cdn.shopify.com/s/files/1/0430/6678/5949/files/zevukagosozufidodoj.pdf
    • https://cdn.shopify.com/s/files/1/0440/5808/3480/files/access_android_messages_on_pc.pdf
    • https://cdn.shopify.com/s/files/1/0431/7410/1160/files/64864396963.pdf
    • https://cdn.shopify.com/s/files/1/0447/7802/9213/files/tegopesowu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000593e.bin
e88707e49348f4b2f3c4128e83a6e3b8ade303dce04c5b476bc321a2bea2a067		 pdf-font-stream PDF embedded font (sfnt) at offset 0x593E 5204 bytes
font_01_sfnt_off00006afe.bin
f6a423b3af41c0db646a6d101cc0130c6ae49669a1aca0c510b3db8a49d03537		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AFE 10100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.