Malicious PDF — malware analysis report

Static analysis result for SHA-256 203868c2009363a4…

MALICIOUS

PDF

39.6 KB Created: 2020-08-18 21:50:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 782c16b0b2f52e4410f9c0d21fd7bae9 SHA-1: c511976b0b5dc2f684fd7c9ac6fae78bd8c7f64b SHA-256: 203868c2009363a4007d44a253b84e67ac346991e39e2c497377aa685e3444bb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a malicious redirector link disguised as a helpful document about Excel worksheets. The primary heuristic indicates a critical PDF redirector link to traff.com, which is known for malicious activity. Additionally, the PDF contains a large number of external links, many hosted on Shopify, suggesting a link farm or SEO manipulation tactic to distribute the malicious payload. No scripts were extracted, but the embedded malicious URL is the primary vector for infection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=duplicates+in+excel+worksheets
    • http://files.malshamsiaudit.ae/uploads/1/3/1/4/131408142/kudamawizu_notazoridulim_mimikosobuboj.pdf
    • http://files.ggbarry.com/uploads/1/3/0/9/130969551/xemexizalexow.pdf
    • https://cdn.shopify.com/s/files/1/0432/6470/4662/files/nelij.pdf
    • https://cdn.shopify.com/s/files/1/0433/6985/7176/files/wosebozenewepezaluki.pdf
    • https://cdn.shopify.com/s/files/1/0433/7428/0855/files/sepubuzanutalekojowisije.pdf
    • https://cdn.shopify.com/s/files/1/0430/4994/3202/files/48034935441.pdf
    • https://cdn.shopify.com/s/files/1/0429/3486/1987/files/rupasiwefifamelud.pdf
    • https://cdn.shopify.com/s/files/1/0435/3196/0474/files/47805827295.pdf
    • https://cdn.shopify.com/s/files/1/0435/5126/0823/files/wakumesibodenekapafuxomun.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/78986196578.pdf
    • https://cdn.shopify.com/s/files/1/0438/4089/7189/files/kinisofakebilusobev.pdf
    • https://cdn.shopify.com/s/files/1/0433/3699/0885/files/peponolavogugun.pdf
    • https://cdn.shopify.com/s/files/1/0431/5119/6315/files/ncaa_basketball_2020_bracket.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ef2.bin
1b769e1590afd87832b217d97b7cefebedb2461cc36b4bebf93da368b158af63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EF2 5244 bytes
font_01_sfnt_off000070d6.bin
17d9a6aa9c72340bf541a16f6ac36ac62131d2f9f1a6f93115848e9f17e6a9e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70D6 9648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.