Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fb89e3b388b959e…

MALICIOUS

PDF

44.5 KB Created: 2020-07-31 07:50:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4af0592e9a579bedd8d5dcbaa2cc6df1 SHA-1: 363967035925c7de7c460981d89d74dd373966c6 SHA-256: 1fb89e3b388b959e605929dc7d4c9acab8bedf9a6b5250072c040a9f21efeabb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external websites. One critical heuristic identified a malicious redirector link (https://ttraff.cc/pify?keyword=snack+recipe+pdf), indicating an attempt to direct users to harmful content. The document body, though heavily obfuscated, suggests a lure related to 'snack recipe pdf'. The presence of numerous links, including those hosted on Shopify, points towards a link farm or phishing campaign.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=snack+recipe+pdf
    • http://files.colorfulkauai.com/uploads/1/3/1/6/131606563/zojigagorobuge.pdf
    • http://files.chsplatinumpress.com/uploads/1/3/1/3/131379776/mofike.pdf
    • http://files.howardinteriordesign.com/uploads/1/3/0/7/130738639/c36bed815dd392d.pdf
    • http://files.earthtocolor.com/uploads/1/3/0/7/130775747/wuwirusor.pdf
    • https://cdn.shopify.com/s/files/1/0437/7152/7325/files/govifipoxisilalameb.pdf
    • https://cdn.shopify.com/s/files/1/0435/8173/5073/files/92002523852.pdf
    • https://cdn.shopify.com/s/files/1/0430/3093/7751/files/72123100231.pdf
    • https://cdn.shopify.com/s/files/1/0434/9231/1206/files/69631318129.pdf
    • https://cdn.shopify.com/s/files/1/0437/4115/1386/files/8399307113.pdf
    • https://cdn.shopify.com/s/files/1/0428/1411/1903/files/22552987853.pdf
    • https://cdn.shopify.com/s/files/1/0431/1692/0994/files/wamovesu.pdf
    • https://cdn.shopify.com/s/files/1/0428/2620/3302/files/zujalegagabogak.pdf
    • https://cdn.shopify.com/s/files/1/0433/6176/3480/files/65046773224.pdf
    • https://cdn.shopify.com/s/files/1/0430/6645/8265/files/gomotemajopodimifenamut.pdf
    • https://cdn.shopify.com/s/files/1/0430/6193/6285/files/15088458295.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/file

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071e5.bin
f644c269b895e0095a0812aaaed35b05b5fa3af7961c6f73c93b2ea1a92b0600		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71E5 4704 bytes
font_01_sfnt_off000081de.bin
bf7fe332cdb8febe008b229d708916940fdbd463cea0420deae654379f5d108e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81DE 10360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.