Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d23a20020cb48f3…

MALICIOUS

PDF

47.1 KB Created: 2020-08-30 03:53:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78bcadc51933feed46e5811ac95c8ca5 SHA-1: b17c38baf4693b311be030c65793dcda57f22a7f SHA-256: 2d23a20020cb48f3d3351210c4a1dea116579cfed1244e3d21a7ffd8c72265e3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, including a critical link to a known malicious redirector at 'ttraff.com'. The document body, though partially corrupted, contains text referencing 'The Conjuring mp4mania' and the malicious URL, suggesting a lure to a potentially harmful site. The presence of numerous PDF links indicates a link farm strategy, likely for SEO poisoning or traffic redirection.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=the+conjuring+mp4mania
    • https://static.usrfiles.com/ugd/eb4c03_f628acc41ece45cab9c5f8d68d739003.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_ef87200f1f8c4184b0c4415eeecc0c30.pdf
    • https://static.usrfiles.com/ugd/51c472_703b3ce3c33643a48aa56eeb3aaaa9d9.pdf
    • https://static.usrfiles.com/ugd/856cea_ed6e4ba17c4a40bdb87ac0d66f7fae59.pdf
    • https://cdn.shopify.com/s/files/1/0430/5593/9733/files/pejezexaj.pdf
    • https://cdn.shopify.com/s/files/1/0434/4414/2245/files/tajosawozibomakuf.pdf
    • https://cdn.shopify.com/s/files/1/0435/2812/6618/files/78104352853.pdf
    • https://cdn.shopify.com/s/files/1/0436/4029/1486/files/hindu_god_images_hd_3d.pdf
    • https://cdn.shopify.com/s/files/1/0430/4211/1641/files/28920969564.pdf
    • https://cdn.shopify.com/s/files/1/0433/7693/5068/files/11699769726.pdf
    • https://cdn.shopify.com/s/files/1/0435/5332/5215/files/birthday_photo_frame_cake.pdf
    • https://cdn.shopify.com/s/files/1/0428/7997/5590/files/waiting_for_the_reply_email.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007623.bin
7d193f7f7f3a058af1e703fb2c0f42c7a34aeec0061de4b6caa6eaf3dd7f8a37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7623 5248 bytes
font_01_sfnt_off000087d8.bin
3b411191eb2af7547280c3529635dea71f407c5fa4ed03c01e570089541a30bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87D8 12448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.