Malicious PDF — malware analysis report

Static analysis result for SHA-256 23a346fa438010c4…

MALICIOUS

PDF

38.6 KB Created: 2020-09-05 14:07:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff01591af645e9f41394aee21e147c21 SHA-1: b7087ee8e02fec627e4666a64e9e4a27917ffacc SHA-256: 23a346fa438010c4dd042433c20b0664daeb78a6da4b385b7c8882d3db449fd2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which is also present in the document body. This link, 'https://ttraff.me/wix?keyword=free++lagu+ciara+level+up', is designed to redirect users to malicious infrastructure. The PDF also contains a large number of embedded links, many pointing to Shopify, which is characteristic of SEO link farm techniques used to obscure malicious activity.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=free++lagu+ciara+level+up
    • https://cdn.shopify.com/s/files/1/0430/1750/2869/files/budget_and_economic_survey_2020_summary.pdf
    • https://cdn.shopify.com/s/files/1/0432/6994/7555/files/ielts_2_listening_test_1_answers.pdf
    • https://cdn.shopify.com/s/files/1/0431/3058/5250/files/lego_dimensions_simpsons_level_guide.pdf
    • https://static.usrfiles.com/ugd/6f58fb_587d611caf36486592d4674be7293511.pdf
    • https://static.usrfiles.com/ugd/ec0012_e838bf75dda74bd38cce99c9bc7691bd.pdf
    • https://static.usrfiles.com/ugd/de60da_b47252489f4e45ea8b55463633f06bbd.pdf
    • https://static.usrfiles.com/ugd/3e87bf_ab2da86279304c5ba4c58b5cc14524c7.pdf
    • https://static.usrfiles.com/ugd/5cf23b_3d0a468492be488eb5d569109c21b6ff.pdf
    • https://cdn.shopify.com/s/files/1/0431/4310/2613/files/nezaxinolilixofubinesuwol.pdf
    • https://cdn.shopify.com/s/files/1/0433/8538/9221/files/romixovuz.pdf
    • https://cdn.shopify.com/s/files/1/0434/7586/1656/files/vasujetabukepegovuw.pdf
    • https://static.usrfiles.com/ugd/e2f197_38f8953239924717ac2c159f44558908.pdf
    • https://static.usrfiles.com/ugd/3de8a6_a6b5fd76b66f42adb8b1966ce82aa3c6.pdf
    • https://static.usrfiles.com/ugd/575fb0_71d585dcae2f4a0f8ce9d6d20df868e4.pdf
    • https://static.usrfiles.com/ugd/f4de5e_4c45101594304bf4a13a2cdd4a68af0c.pdf
    • https://static.usrfiles.com/ugd/b8c837_7d862d8c369b475b88e180046f18280d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000588c.bin
01334b28476a9cc2a968c3574880f761db5f6f303088056d4b77fbc25edaec1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x588C 4936 bytes
font_01_sfnt_off00006978.bin
535bf419d62ca06859d6e01a293a2bf88e19a098494fbd43d1490f5e2a0400eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6978 10572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.