Malicious PDF — malware analysis report

Static analysis result for SHA-256 33771f9e1574e467…

MALICIOUS

PDF

40.2 KB Created: 2020-08-15 10:43:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c23f504d64a1e927729da9496e6833cd SHA-1: 0deb35491318e29f37b09a49a553835146e71aaf SHA-256: 33771f9e1574e467fd6e6eeab1cc3a52ea024dd11fbaf9439eb44e469844d0fb
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a critical heuristic firing for a malicious redirector link pointing to 'ttraff.com'. It also exhibits a PDF link farm heuristic, with numerous links to shopify.com and other domains, suggesting a broad distribution effort. The document body contains text related to 'Acrobat pro 2017 helpx', likely a lure to encourage clicks on the embedded malicious link.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=acrobat+pro+2017++helpx
    • http://files.brookwoodcounseling.com/uploads/1/3/1/4/131454452/e24e42846d2.pdf
    • http://files.wsbra2020.com/uploads/1/3/0/7/130739368/bumurot_mosajulajonit_fojovajulunak.pdf
    • https://cdn.shopify.com/s/files/1/0433/8008/0801/files/abstract_algebra_an_introduction_3rd_edition.pdf
    • https://cdn.shopify.com/s/files/1/0435/5863/3631/files/41089370790.pdf
    • https://cdn.shopify.com/s/files/1/0440/5483/9461/files/22373198909.pdf
    • https://cdn.shopify.com/s/files/1/0429/5327/7596/files/37285454785.pdf
    • https://cdn.shopify.com/s/files/1/0431/8317/7887/files/nivenavalalidemovatebuzi.pdf
    • https://cdn.shopify.com/s/files/1/0438/8945/9368/files/aditya_hrudayam_stotram_in_marathi.pdf
    • https://cdn.shopify.com/s/files/1/0430/4545/3985/files/algorithm_in_c.pdf
    • https://cdn.shopify.com/s/files/1/0431/0056/9766/files/dunijavorizijajonib.pdf
    • https://cdn.shopify.com/s/files/1/0434/4119/3110/files/andhra_pradesh_government_holidays_list_2020_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005efb.bin
193f848f1cdb4dec5463731bf35f0c01868bf0f84bab68ac5e1edad69c84a68c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EFB 5448 bytes
font_01_sfnt_off0000717d.bin
763941bbde7a2a44c9a30350bf862ded7c6a5c141b5c751f824ab1b14ce03af7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x717D 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.