Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e6c10a3ab151c8d…

MALICIOUS

PDF

46.5 KB Created: 2020-09-01 15:00:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68ee0cc80adaf90dd78b78fe8330c3b9 SHA-1: d1eb37dc49ec63c200418e539f454cae739f964a SHA-256: 1e6c10a3ab151c8d8d3015ae557a7089ea865456462ad86f1c790088a09f4083
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified as a link farm. One of the primary links, 'https://ttraff.link/wix?keyword=top+rated+tower+defense+android+games', is known to redirect to malicious infrastructure. The document body, though heavily obfuscated, also contains this URL, suggesting it is the intended lure. The file's purpose appears to be to direct users to potentially harmful content through a network of links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=top+rated+tower+defense+android+games
    • https://cdn.shopify.com/s/files/1/0438/3821/0205/files/62204780087.pdf
    • https://cdn.shopify.com/s/files/1/0434/1586/3463/files/80511468833.pdf
    • https://cdn.shopify.com/s/files/1/0434/7245/3797/files/sogubapipuwaxemitekenar.pdf
    • https://cdn.shopify.com/s/files/1/0431/8691/3431/files/kuwuwabitodafozu.pdf
    • https://static.usrfiles.com/ugd/9e14ca_19e4f8cbcf4c48338b90836557bfe545.pdf
    • https://static.usrfiles.com/ugd/93971e_c7a5d0cd8ccb4797abdf068cc4dc2cc5.pdf
    • https://static.usrfiles.com/ugd/b0cd75_b818db7413f04a1581e74e6553783310.pdf
    • https://static.usrfiles.com/ugd/b5aed9_7db9fd4939934b59af8105c3e6264f3b.pdf
    • https://static.usrfiles.com/ugd/b91566_ddb78d8cbc5d451f821b7a249774dc69.pdf
    • https://static.usrfiles.com/ugd/a59130_c147d25ecef54355a0b8277446d6932b.pdf
    • https://static.usrfiles.com/ugd/a2e20a_7af679e712cd42b6ac932145b5e18f93.pdf
    • https://static.usrfiles.com/ugd/ea5d7b_8848906980eb4ffda229b25f1055d8f6.pdf
    • https://cdn.shopify.com/s/files/1/0431/8937/1044/files/31376535404.pdf
    • https://cdn.shopify.com/s/files/1/0433/3027/3448/files/6478908889.pdf
    • https://cdn.shopify.com/s/files/1/0436/0693/3661/files/skype_old_version.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006633.bin
7d7fd902fa208b935c462f492b87695ba363d397b3dc6653160b17cacee42777		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6633 4692 bytes
font_01_sfnt_off000076c3.bin
188e812040cc36168eae489a4148f7497acd43162229c7bca16960d10739b5c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76C3 5368 bytes
font_02_sfnt_off00008906.bin
dc1c39712cf8767f9bc1347d3883b6ede0efcfb25e889bad45fc0da7d3df24e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8906 10468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.