Malicious PDF — malware analysis report

Static analysis result for SHA-256 272b6804f40454d2…

MALICIOUS

PDF

38.6 KB Created: 2020-08-15 01:48:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ede102565de274a3aa9863c0a6f8c1a SHA-1: f07233dcd82cfd6de36c4ad3b7d56987c654b4df SHA-256: 272b6804f40454d2e03fc20f89668c9c037d8f15a81554d287bbcfeac417e44b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, with a critical heuristic firing indicating a link to known malicious redirector infrastructure at 'https://ttraff.com/pify?keyword=r+alphabet+wallpaper+free'. Another critical heuristic identified a PDF link farm, with the first URL pointing to 'https://cdn.shopify.com/s/files/1/0431/6086/2874/files/salikegisuga.pdf'. The document body, though partially corrupted, contains text related to 'R alphabet wallpaper free', suggesting a lure to disguise the malicious links.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=r+alphabet+wallpaper+free
    • http://files.josephbrowne.net/uploads/1/3/0/8/130874485/ziwasubowofax.pdf
    • http://files.yojimbocorp.com/uploads/1/3/1/4/131453177/79c11ee7bc056.pdf
    • http://files.piperdavisbaseball.org/uploads/1/3/1/6/131636642/648d4.pdf
    • https://cdn.shopify.com/s/files/1/0431/6086/2874/files/salikegisuga.pdf
    • https://cdn.shopify.com/s/files/1/0430/0403/5221/files/2095006312.pdf
    • https://cdn.shopify.com/s/files/1/0432/8197/3416/files/wetejanumuvavujelobaza.pdf
    • https://cdn.shopify.com/s/files/1/0430/7235/6513/files/vizomavulekagabalelunudep.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/8833338052.pdf
    • https://cdn.shopify.com/s/files/1/0431/9939/8052/files/56774386235.pdf
    • https://cdn.shopify.com/s/files/1/0427/9818/6663/files/93400782882.pdf
    • https://cdn.shopify.com/s/files/1/0432/4923/8178/files/nuvumipebamewewodobokat.pdf
    • https://cdn.shopify.com/s/files/1/0432/6955/4332/files/32810779530.pdf
    • https://cdn.shopify.com/s/files/1/0433/5638/9528/files/51292871655.pdf
    • https://cdn.shopify.com/s/files/1/0435/6990/5825/files/21716292318.pdf
    • https://cdn.shopify.com/s/files/1/0429/5717/6986/files/tamuka.pdf
    • https://cdn.shopify.com/s/files/1/0430/7012/8277/files/kaxapilikomipokilil.pdf
    • https://cdn.shopify.com/s/files/1/0432/7541/9798/files/97663122184.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b66.bin
944ca7b7bd252aed5cc131ee4fd4a38930aea8d9c392e947fa61aef95c8c0cfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B66 5052 bytes
font_01_sfnt_off00006ca0.bin
941601395e2ce8b7936a862c25dc9c0e5136bb71a5d6f0b5c69de9422ee99b2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CA0 9696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.