Malicious PDF — malware analysis report

Static analysis result for SHA-256 32a2daebfc34ae4a…

MALICIOUS

PDF

34.7 KB Created: 2020-08-05 18:29:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84b958d2f261c159e93efb584f19d3a1 SHA-1: e404f90107b788a5ab1e3836a1316b81d8f6229b SHA-256: 32a2daebfc34ae4a3a8705e58d9f29ba16f1ca3d080d11c140238dae137a1a9d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link pointing to ttraff.com. The document body, though heavily obfuscated, contains the same URL. The PDF also exhibits characteristics of a link farm, with numerous embedded URLs, many of which point to Shopify domains, likely for obfuscation. The primary malicious URL is a redirector designed to lead users to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=hey+there+delilah+guitar+tab+pdf
    • http://files.chandascreations.com/uploads/1/3/1/4/131452878/mabiwan.pdf
    • http://files.sanmateolimos.com/uploads/1/3/1/3/131383553/612544a.pdf
    • http://files.carlyhines.com/uploads/1/3/1/4/131437889/948e3e828dc.pdf
    • http://files.eatwellwithwilson.com/uploads/1/3/0/8/130814717/584b1b11.pdf
    • http://vapomi.gravelgrinderchallenge.com/uploads/1/3/2/3/132303374/856011.pdf
    • https://cdn.shopify.com/s/files/1/0429/8054/0575/files/viximixi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0668/0484/files/31058700280.pdf
    • https://cdn.shopify.com/s/files/1/0427/7259/4844/files/58699508669.pdf
    • https://cdn.shopify.com/s/files/1/0435/7554/1919/files/gurren_lagann_season_2.pdf
    • https://cdn.shopify.com/s/files/1/0433/3427/1126/files/zonij.pdf
    • https://cdn.shopify.com/s/files/1/0439/7717/9294/files/leadership_styles.pdf
    • https://cdn.shopify.com/s/files/1/0430/6308/3162/files/sasowigokijosijubepux.pdf
    • https://cdn.shopify.com/s/files/1/0429/6884/2393/files/65397696779.pdf
    • https://cdn.shopify.com/s/files/1/0430/3945/7431/files/intellectual_skills.pdf
    • https://cdn.shopify.com/s/files/1/0437/9148/3031/files/cpu_usage_mac.pdf
    • https://cdn.shopify.com/s/files/1/0432/5448/1058/files/98952675721.pdf
    • https://cdn.shopify.com/s/files/1/0428/8456/3110/files/hamilton_beach_microwave_parts.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a26.bin
61588abf42b92b38c6d9e3073669936cc802038cb3fb49f10c54bd2be10a00c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A26 5328 bytes
font_01_sfnt_off00005c41.bin
7fbfa58b208217404d6c0bfe7f8be86d404a3ff4736063a69783ba83e2a1bf75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C41 9784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.