Malicious PDF — malware analysis report

Static analysis result for SHA-256 2299679a92960ce2…

MALICIOUS

PDF

35.3 KB Created: 2020-08-31 07:17:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 830ba22e294e424f19f65ebe3a33e732 SHA-1: 584c55581cdd405d459f1d4a9036060dc37490bc SHA-256: 2299679a92960ce256167a6ba60c869377109af67d943a272e119f80dd933716
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, a technique often used to create SEO link farms or to direct users to malicious sites. One of the primary URLs, 'https://ttraff.cc/wix?keyword=bring+it+on+all+or+nothing+online+fr', is flagged as a malicious redirector. The document body, though heavily obfuscated, contains this URL and other Shopify links, suggesting a lure to a malicious site under the guise of a report.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=bring+it+on+all+or+nothing+online+fr
    • https://cdn.shopify.com/s/files/1/0438/0858/7938/files/annual_report_example.pdf
    • https://cdn.shopify.com/s/files/1/0437/8673/1681/files/jovisufikiwozezugopin.pdf
    • https://cdn.shopify.com/s/files/1/0438/3830/8512/files/97532401050.pdf
    • https://cdn.shopify.com/s/files/1/0437/9508/7522/files/mechanism_of_action_antiepileptic_drugs.pdf
    • https://cdn.shopify.com/s/files/1/0433/9046/8245/files/2.pdf
    • https://cdn.shopify.com/s/files/1/0431/8904/3358/files/lutejimodafisev.pdf
    • https://cdn.shopify.com/s/files/1/0434/7458/3702/files/jabomedosugotajirojok.pdf
    • https://static.usrfiles.com/ugd/37428b_f6ec5235ce824b059472e04615a6f346.pdf
    • https://static.usrfiles.com/ugd/e2c6c1_c5372f1816e64360b7747090627116b7.pdf
    • https://cdn.shopify.com/s/files/1/0427/9920/2467/files/tuzok.pdf
    • https://cdn.shopify.com/s/files/1/0433/7667/2918/files/1890937927.pdf
    • https://cdn.shopify.com/s/files/1/0435/7967/0689/files/93208281435.pdf
    • https://cdn.shopify.com/s/files/1/0435/4765/6343/files/49051341123.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d62.bin
1f19f16b7c7345a6d4654ca544f8a8d737561ebfbb9705b1bd652cad0337f1ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D62 4900 bytes
font_01_sfnt_off00005e04.bin
0d2493557d4f6492555084758092ac7e212dd7d95856484f1d6479c1c373bf1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E04 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.