Malicious PDF — malware analysis report

Static analysis result for SHA-256 29cac92c9fef021a…

MALICIOUS

PDF

46.3 KB Created: 2020-08-20 12:11:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe0e3d7d7247fcaeb11f7dfdbdd0dd8d SHA-1: a41fb90a88e0909f1d01ce81503729138f50770b SHA-256: 29cac92c9fef021a846957caee4fa70f331b68dd90eb59c8da7085fb04f51a8c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with a critical heuristic identifying it as a link farm. One of these links, 'https://ttraff.cc/pify?keyword=form+action+route+laravel', is flagged as a malicious redirector. The document body, though partially corrupted, also contains this URL and other benign-looking Shopify links, suggesting a lure to external, potentially malicious, content. The primary attack pattern involves leveraging these links to redirect users to harmful sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=form+action+route+laravel
    • http://files.winequeen.net/uploads/1/3/0/8/130814132/mozitov.pdf
    • http://pojofa.centralcemetery.net/uploads/1/3/2/6/132681218/5e2edc3a190f.pdf
    • http://nulurebuw.uoftdivest.com/uploads/1/3/2/8/132815296/5098763.pdf
    • https://cdn.shopify.com/s/files/1/0439/0954/6136/files/luxofumati.pdf
    • https://cdn.shopify.com/s/files/1/0438/2857/6416/files/vasasemixuxufirupom.pdf
    • https://cdn.shopify.com/s/files/1/0432/6273/8592/files/redibilejelelonu.pdf
    • https://cdn.shopify.com/s/files/1/0436/1011/2163/files/most_common_adjectives_in_english.pdf
    • https://cdn.shopify.com/s/files/1/0428/6365/7119/files/wikuzaxaxawimufexetibix.pdf
    • https://cdn.shopify.com/s/files/1/0437/8086/6209/files/psychiatric_disorders_list.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/pisanebemewamabojesodid.pdf
    • https://cdn.shopify.com/s/files/1/0434/0259/2410/files/crossword_quiz_answers_video_games_level_4.pdf
    • https://cdn.shopify.com/s/files/1/0460/1289/1297/files/nuzebipujesu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0386/2440/files/xijixotiwejoxorazeduber.pdf
    • https://cdn.shopify.com/s/files/1/0431/2226/2167/files/24193282773.pdf
    • https://cdn.shopify.com/s/files/1/0437/2050/7544/files/actos_de_comercio_colombia.pdf
    • https://cdn.shopify.com/s/files/1/0433/5802/7928/files/vakaf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076aa.bin
4cc231f820f1d911a8135d7f6f04c32d623d74d5d4542980750cb941b3334098		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76AA 4784 bytes
font_01_sfnt_off000086d6.bin
a4f41b3f9b87336ea73f9ec76fdfa65d52748518680937c299ce4b7ad6c41f8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86D6 10984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.