Malicious PDF — malware analysis report

Static analysis result for SHA-256 28ffbfde57c5d1f0…

MALICIOUS

PDF

51.3 KB Created: 2020-08-21 13:10:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 616d0420e5d2b60ab9db72c46a459532 SHA-1: 1b7f284a208ca0500712c15d1c6ddad8ddf36078 SHA-256: 28ffbfde57c5d1f0309e226fcef22319ed7c2b526a843596a92c21fdd3a7c747
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a link farm and a critical redirector link pointing to ttraff.com. This indicates a phishing or social engineering attempt to redirect the user to malicious content. The document body, though heavily obfuscated, contains the same redirect URL, reinforcing the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=project+business+case+template.+doc
    • http://files.sheilastonephotographer.com/uploads/1/3/1/4/131414561/gotewunenof.pdf
    • https://cdn.shopify.com/s/files/1/0431/7134/8641/files/97728163256.pdf
    • https://cdn.shopify.com/s/files/1/0434/8765/8141/files/curso_violo_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0437/5547/1006/files/full_accounting_cycle_example_problems.pdf
    • https://cdn.shopify.com/s/files/1/0434/6452/3926/files/35302624660.pdf
    • https://cdn.shopify.com/s/files/1/0428/3963/8179/files/79347736297.pdf
    • https://cdn.shopify.com/s/files/1/0433/3702/3641/files/php_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0430/7527/2855/files/goletexedo.pdf
    • https://cdn.shopify.com/s/files/1/0439/6918/3902/files/82580132384.pdf
    • https://cdn.shopify.com/s/files/1/0437/4944/1687/files/32179558226.pdf
    • https://cdn.shopify.com/s/files/1/0431/0722/1661/files/left_side_menu_website_template.pdf
    • https://cdn.shopify.com/s/files/1/0438/0426/2561/files/mafugejevo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008a92.bin
a50f84e3c569d832b152b2ffd1a84d1071ae2635b6d09f6031b350bbd2e8fa87		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A92 5468 bytes
font_01_sfnt_off00009d0a.bin
8c008886dbbd62841ecbd36e0c917028c1473512a7092702128e6d6faf3d722b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D0A 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.