Malicious PDF — malware analysis report

Static analysis result for SHA-256 2cfd709072f336db…

MALICIOUS

PDF

59.4 KB Created: 2020-08-10 19:06:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bc04b5b65d294b54bb96f273c85722d SHA-1: 560db4351790a055d85260e6e4b87075e8cd44de SHA-256: 2cfd709072f336dbfd5246d75b3896cf1aff9bb08c020d499c1d26822e094d45
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external resources. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.com/pify?keyword=narasimha+kavacham+pdf'. The document body, though heavily obfuscated, also contains this URL, suggesting the primary intent is to lure the user to this malicious site. The presence of numerous other links, including those hosted on Shopify, indicates a potential link farm or SEO spam tactic to obscure the malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=narasimha+kavacham+pdf
    • http://files.middlesexmotorcycle.com/uploads/1/3/0/7/130738993/669168.pdf
    • http://files.essexstdental.com/uploads/1/3/1/4/131438137/zilotilid.pdf
    • http://files.wordsfromtheword.com/uploads/1/3/1/6/131636957/9188569.pdf
    • http://files.ranchobonitos.com/uploads/1/3/2/6/132682110/rakavisojeg-kogisinowevofa-xezavijopawixa-naxexut.pdf
    • http://files.premiumlimousines.ch/uploads/1/3/1/3/131398117/ruxulemawujuxipa.pdf
    • https://cdn.shopify.com/s/files/1/0435/2491/5359/files/centrifugal_compressor_parts.pdf
    • https://cdn.shopify.com/s/files/1/0429/2168/9254/files/66082813492.pdf
    • https://cdn.shopify.com/s/files/1/0433/4551/0568/files/mufiwadudiwujemej.pdf
    • https://cdn.shopify.com/s/files/1/0428/3957/2643/files/visaxewipusulakurixe.pdf
    • https://cdn.shopify.com/s/files/1/0431/5293/3021/files/malepezagitaba.pdf
    • https://cdn.shopify.com/s/files/1/0437/1313/4757/files/mepisazazefufitogu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/22271122494.pdf
    • https://cdn.shopify.com/s/files/1/0433/1870/6331/files/40542707174.pdf
    • https://cdn.shopify.com/s/files/1/0433/5501/3275/files/volumen_corpuscular_medio_bajo.pdf
    • https://cdn.shopify.com/s/files/1/0429/1588/9305/files/13236605504.pdf
    • https://cdn.shopify.com/s/files/1/0428/1604/5222/files/rexemisurunurozuwus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000734c.bin
bec819876fcf48402e9a57d7d7f04f4caab0a757ca894bb6379a2b7d66616d62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x734C 5456 bytes
font_01_sfnt_off000085b8.bin
1620336da6018abf771a3b64a4739dbc5cc5761e5bcfd31f9568e9163b5e6178		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85B8 2656 bytes
font_02_sfnt_off000090bf.bin
6d897259d7ab9db79b0dbb16904cd99ff486aa7f4a475590a5d3e44eab6e0eed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90BF 2328 bytes
font_03_sfnt_off00009b75.bin
b3976ad28991401f3a7e0d936621f3963ed8fd81aff5bedc9e25cf6548b1959b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B75 2108 bytes
font_04_sfnt_off0000a54b.bin
6bbb1df99282d2299ffb9eef5e11e27fe7d8963bac0750bcdbaf065159cb5926		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA54B 15652 bytes
font_05_sfnt_off0000d331.bin
fd5a8ae879eb33205c6d4fe88f9351bfd6e423e8e9b5e64836cb142613c369b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD331 2960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.