Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d46263aa20cb918…

MALICIOUS

PDF

43.4 KB Created: 2020-08-09 09:37:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6fff246418414c1c17dd7717c7c5b7ae SHA-1: 1a0bd4569ff6d468a1b7654cca07701ca627d22a SHA-256: 1d46263aa20cb918404361af3919ac32e1821107ad8cdb06c37b99b656f0bb35
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a link to a known malicious redirector, ttraff.cc, which is likely used to obscure the final destination and deliver a payload. The document also features a large number of external links, many pointing to Shopify-hosted PDFs, suggesting a link farm or SEO poisoning tactic to attract victims. The primary malicious URL identified is https://ttraff.cc/pify?keyword=energie+renouvelable+pdf+cours.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=energie+renouvelable+pdf+cours
    • http://files.tummyandtot.com/uploads/1/3/1/8/131872037/maxorademuzujizuki.pdf
    • http://files.writingforhisglory.com/uploads/1/3/1/4/131408103/805131.pdf
    • http://files.elementmaster.com.au/uploads/1/3/2/3/132302718/geregonubuv_kibikixasima_vosobu.pdf
    • http://gezofu.skintwalletsusa.com/uploads/1/3/1/4/131406390/tedugazevo-juliwuwij.pdf
    • https://cdn.shopify.com/s/files/1/0428/9265/6799/files/matedu.pdf
    • https://cdn.shopify.com/s/files/1/0434/0659/0106/files/zeruru.pdf
    • https://cdn.shopify.com/s/files/1/0436/1289/7437/files/copper_nickel_alloys.pdf
    • https://cdn.shopify.com/s/files/1/0431/7177/4615/files/73838516310.pdf
    • https://cdn.shopify.com/s/files/1/0428/3957/2643/files/alkane_alkene_alkyne_download.pdf
    • https://cdn.shopify.com/s/files/1/0430/9562/1781/files/66537140051.pdf
    • https://cdn.shopify.com/s/files/1/0432/9455/6324/files/vebaxerepibudozirefogoze.pdf
    • https://cdn.shopify.com/s/files/1/0430/7596/0985/files/pivapudadiviru.pdf
    • https://cdn.shopify.com/s/files/1/0428/5746/3971/files/nojuneroxalunefewile.pdf
    • https://cdn.shopify.com/s/files/1/0433/3695/8104/files/tadujutabewiwojewanokat.pdf
    • https://cdn.shopify.com/s/files/1/0430/4309/4677/files/3326587987.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000667b.bin
2f56ba53cb7312fa10966b09f85edc79f276c2e1f24da60c3d4bdfb7ce9f8d4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x667B 5480 bytes
font_01_sfnt_off00007935.bin
9100b5c1293edc25d4c7039014c2204b0ec4e8ca5c0ebf4585faa5eeb31d96f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7935 11824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.