Malicious PDF — malware analysis report

Static analysis result for SHA-256 1dd21333baaded5e…

MALICIOUS

PDF

41.4 KB Created: 2020-09-18 16:40:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5616cf0008145a10f5584743399a2c47 SHA-1: c12ad5a03cbc0cfa7e333bd80f87c0815464ff9d SHA-256: 1dd21333baaded5ea270ef45b56f6750ee57eb4238ffd1b45ba8fe101a9234dc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, with one critical heuristic identifying it as a malicious redirector. The document body, though heavily obfuscated, contains a URL that appears to be a lure for a specific PDF. The primary malicious link is https://ttraff.link/wix?keyword=icewind+dale+trilogy+pdf, which likely serves as the initial entry point for further malicious activity.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=icewind+dale+trilogy+pdf
    • http://sijotexun.graceforthebroken.org/uploads/1/3/2/6/132695780/vexemawepogu.pdf
    • http://files.nancyparkinson.com/uploads/1/3/0/8/130814586/4803561.pdf
    • http://resinare.javiatorsim.com/uploads/1/3/1/4/131437601/a54d8.pdf
    • https://38dcdb68-7bb8-4f70-9fd5-15120c4eb8de.filesusr.com/ugd/4cd51e_53394c6c131245788e5718b9a09fe441.pdf?index=true
    • https://812d2496-b9da-4b23-bb84-d70238233e57.filesusr.com/ugd/0d002d_ac162ff280af4ab692e98f64a10ae5dc.pdf?index=true
    • https://6282dac2-45ea-4510-827d-4b7b9f126aee.filesusr.com/ugd/9734e7_56419b5caf7141adbc86815d0b4e56b2.pdf?index=true
    • https://63ba38e7-ea91-42a4-9635-ec65b794a22c.filesusr.com/ugd/49f5ef_6d72740a57404c3bbbb7d1d1e9090ab2.pdf?index=true
    • https://7c9f49db-3a8a-4b2d-aabf-4c15dcf4a9d0.filesusr.com/ugd/6c98bc_96a37597776d4622b38a752c0f9a5185.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/53607129813.pdf
    • https://cdn.shopify.com/s/files/1/0430/7465/0261/files/86080248161.pdf
    • https://cdn.shopify.com/s/files/1/0435/2383/4024/files/jkbose_datesheet_11th_class_2018.pdf
    • https://cdn.shopify.com/s/files/1/0435/2835/6000/files/burger_king_gutscheine_oktober.pdf
    • https://cdn.shopify.com/s/files/1/0484/3113/6936/files/dememevedosuvo.pdf
    • https://cdn.shopify.com/s/files/1/0431/0417/4233/files/90367842849.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063fb.bin
036c6cab373f538cf42ec3da38a2d81582daca52a5b7d00118bc341c38679983		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63FB 5276 bytes
font_01_sfnt_off00007617.bin
c82524087ff276f2b2fa905c5b6d5cf239c5007c14e730db0ee7a909bb1b4b9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7617 10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.