Malicious PDF — malware analysis report

Static analysis result for SHA-256 3225a26be56de7af…

MALICIOUS

PDF

46.0 KB Created: 2020-08-01 14:25:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4defb9b139802e45b21311e832c0ec9e SHA-1: 7003207611aeebb4c787bdd4f287bfaa9cc24e17 SHA-256: 3225a26be56de7afec9bbb64cc8adbb39dd542c11317ac592182984e4b1cd0df
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, with one heuristic specifically identifying a malicious redirector link to 'ttraff.com'. Another heuristic indicates a link farm, with many links pointing to Shopify domains, likely used to obscure the final malicious destination. The document body contains garbled text but includes the malicious redirector URL, suggesting an attempt to lure users to a harmful site.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=tool+forge+tinkers
    • http://files.joycegalehouse.com/uploads/1/3/2/8/132814342/xitularalabaxe-wujibafuzun.pdf
    • http://files.jbombasaro.com/uploads/1/3/2/6/132696263/ponedew-mosiru.pdf
    • http://files.localmarke.com/uploads/1/3/2/6/132696029/dikuwokizewod.pdf
    • http://files.theinnerlifebooks.com/uploads/1/3/2/7/132711947/rebetepijatev.pdf
    • https://cdn.shopify.com/s/files/1/0430/4361/8965/files/39214120338.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vekedexixerokasadoboma.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/wugituvunajobi.pdf
    • https://cdn.shopify.com/s/files/1/0434/6983/2342/files/cvs_cashier_job_application.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/datufezon.pdf
    • https://cdn.shopify.com/s/files/1/0428/6277/2380/files/guxufelesoxupif.pdf
    • https://cdn.shopify.com/s/files/1/0434/8300/5078/files/sunken_temple_wow.pdf
    • https://cdn.shopify.com/s/files/1/0437/4868/8033/files/97194835776.pdf
    • https://cdn.shopify.com/s/files/1/0429/3279/7607/files/73110840068.pdf
    • https://cdn.shopify.com/s/files/1/0431/1416/8480/files/jamobalufajobu.pdf
    • https://cdn.shopify.com/s/files/1/0433/8424/2337/files/sunununoduxonura.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062cb.bin
4e4599f4a4c393af11c778e283ad8556461167dc13b545f51f2cdc59bec06e56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62CB 4740 bytes
font_01_sfnt_off00007304.bin
f847c04e25e379be3fe50c649b80e1229a7385cc7abcc3d4012fd042c9e7948d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7304 10224 bytes
font_02_sfnt_off0000962b.bin
4a622579d79fb5cf055731417536ee63afb5faeeaba7f73d7a8c615f17972160		 pdf-font-stream PDF embedded font (sfnt) at offset 0x962B 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.