Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fb842327946402c…

MALICIOUS

PDF

43.4 KB Created: 2020-09-01 22:50:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 90009f53f95084ad1edaa7fb36b76555 SHA-1: 18cd6fd3935a3adbfb370a9a4dcbf0d472c717da SHA-256: 1fb842327946402c4bbae7ae975f8bdf7bd66d0add66df5da0453cf99294a9eb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many of which point to Shopify domains, likely as part of an SEO link farm. One critical heuristic identified a link to a known malicious redirector at 'https://ttraff.me/wix?keyword=wedding+band+size+guide'. The document body, though heavily obfuscated, contains text related to 'Wedding band size guide' and the malicious URL, suggesting a lure to a phishing or malware distribution site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=wedding+band+size+guide
    • https://cdn.shopify.com/s/files/1/0448/4192/6818/files/nsw_auditor_general_report_2015.pdf
    • https://cdn.shopify.com/s/files/1/0432/0608/2717/files/vemabevufomodiwixorobopob.pdf
    • https://cdn.shopify.com/s/files/1/0431/5843/8037/files/74871032531.pdf
    • https://cdn.shopify.com/s/files/1/0434/0973/5845/files/xuxade.pdf
    • https://cdn.shopify.com/s/files/1/0427/8734/0454/files/lopuneripegotatukuto.pdf
    • https://cdn.shopify.com/s/files/1/0433/4295/4661/files/47144613900.pdf
    • https://cdn.shopify.com/s/files/1/0449/3407/0440/files/c_programs_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/2439/2087/files/nom_035_riesgos_psicosociales.pdf
    • https://cdn.shopify.com/s/files/1/0430/0485/4426/files/flowserve_apex_7000_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/9005/9176/files/7928748388.pdf
    • https://cdn.shopify.com/s/files/1/0429/2670/2755/files/99357861908.pdf
    • https://cdn.shopify.com/s/files/1/0440/6683/2534/files/86660795052.pdf
    • https://cdn.shopify.com/s/files/1/0432/8813/3787/files/sazim.pdf
    • https://cdn.shopify.com/s/files/1/0435/2632/4383/files/mitevafefapoxafulakel.pdf
    • https://static.usrfiles.com/ugd/fac845_4d6933b97fbb4212a129c10b4c9d400f.pdf
    • https://static.usrfiles.com/ugd/0a593f_c201baf35c854ccd863b3650671bde09.pdf
    • https://static.usrfiles.com/ugd/2f7815_406f1ca519144686952e6cd057358f13.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d1f.bin
555b2e1f729ce141fc24818d61001cc5c9e61fd43893aa0a7e977f2a5efd528e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D1F 5068 bytes
font_01_sfnt_off00007e88.bin
2afc15321d9909445d683701e397de632a7f7ec5e1859fd80559ba2da068ba49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E88 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.