Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bd1931fdd3c2604…

MALICIOUS

PDF

40.5 KB Created: 2020-08-12 23:29:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5888231bfb8164318f046044182b0e2b SHA-1: 2f833576fb68587912cdb3f1d77409a6e975a7ad SHA-256: 2bd1931fdd3c2604bc0483d44dcb33a6793b54761e58634a51aa44454aad3470
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, pointing to ttraff.com. The document body, though heavily obfuscated, contains the same URL, suggesting it's the primary lure. The presence of a large number of external PDF links, many hosted on Shopify, indicates a link farm designed to obscure the malicious redirector. The file is likely a downloader or phishing lure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=partnership+accounts+pdf+icai
    • http://vavopemow.centerstageboutiquetx.com/uploads/1/3/2/6/132680813/4725061.pdf
    • http://files.whatsoninhoniton.com/uploads/1/3/1/3/131383045/aa7ad31.pdf
    • http://files.laurelweldon.com/uploads/1/3/1/6/131636758/e870cef856368d2.pdf
    • http://jutenak.carpediem191.com/uploads/1/3/1/3/131398294/pafamiz_tomukig.pdf
    • https://cdn.shopify.com/s/files/1/0433/4095/5803/files/22645684493.pdf
    • https://cdn.shopify.com/s/files/1/0452/4739/8050/files/dejafu.pdf
    • https://cdn.shopify.com/s/files/1/0433/3764/6245/files/47801013583.pdf
    • https://cdn.shopify.com/s/files/1/0433/8706/0378/files/propiedades_fisicas_de_los_metales_alcalinos.pdf
    • https://cdn.shopify.com/s/files/1/0429/8250/6647/files/lewebeterunezoroz.pdf
    • https://cdn.shopify.com/s/files/1/0431/5689/7947/files/46338727975.pdf
    • https://cdn.shopify.com/s/files/1/0431/1482/3844/files/nejagemexuzobax.pdf
    • https://cdn.shopify.com/s/files/1/0433/7981/8661/files/bibopozonu.pdf
    • https://cdn.shopify.com/s/files/1/0434/1671/5429/files/mamejemawufuvagafaseke.pdf
    • https://cdn.shopify.com/s/files/1/0430/7232/3737/files/veburusizugilajunipeko.pdf
    • https://cdn.shopify.com/s/files/1/0429/5422/7871/files/anlise_morfolgica_de_frases_exerccios.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000611f.bin
ecfdc291aab7d1560c1697d22a2818ec75604531fbdc5cb31bd8984a82869691		 pdf-font-stream PDF embedded font (sfnt) at offset 0x611F 5212 bytes
font_01_sfnt_off000072c8.bin
c1ea073aae006bb44d8dfd98d5d958ab18774ee44ec316350351cabbdfe00765		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72C8 10148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.