Malicious PDF — malware analysis report

Static analysis result for SHA-256 35baf28d15dde42c…

MALICIOUS

PDF

33.9 KB Created: 2020-08-30 08:10:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9215697b871bc30484ec41eb16bf7e98 SHA-1: e8f71f3eea8c3889cbb3086aaa6413aec7f45542 SHA-256: 35baf28d15dde42c125e99fbd38f81363ae1944e6a1e72c7c79f97950ba50e6c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a link farm designed to appear as legitimate content, likely to trick users into clicking malicious URLs. The primary malicious URL identified is https://ttraff.cc/wix?keyword=need+for+speed+rivals+t%25C3%25BCrk%25C3%25A7e+yama+in, which is flagged as a malicious redirector. The document body, though heavily obfuscated, contains references to game-related terms and the malicious URL, suggesting a lure for credential theft or further malware deployment.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=need+for+speed+rivals+t%25C3%25BCrk%25C3%25A7e+yama+in
    • https://cdn.shopify.com/s/files/1/0430/7111/1330/files/78861965323.pdf
    • https://cdn.shopify.com/s/files/1/0432/2331/8686/files/3225994548.pdf
    • https://cdn.shopify.com/s/files/1/0451/2271/5801/files/absurdist_fiction.pdf
    • https://cdn.shopify.com/s/files/1/0428/1909/2647/files/85001320447.pdf
    • https://cdn.shopify.com/s/files/1/0431/7764/0093/files/betujesa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0828/6105/files/excel_pivot_table_report_templates.pdf
    • https://cdn.shopify.com/s/files/1/0429/2254/1209/files/filetedokizazijef.pdf
    • https://cdn.shopify.com/s/files/1/0463/2467/8813/files/vuwobezatawipipagewaj.pdf
    • https://cdn.shopify.com/s/files/1/0429/5042/6780/files/fonimotenabubobawu.pdf
    • https://static.usrfiles.com/ugd/26938b_dd16dc2a69714209badb20780e22b4ca.pdf
    • https://static.usrfiles.com/ugd/33a16d_1ec682a5d53f4d0f8bba488e228e0240.pdf
    • https://static.usrfiles.com/ugd/b8c837_a8de0b5250514b5fb7de2c281ec5ba82.pdf
    • https://static.usrfiles.com/ugd/ce5d00_78f293d93dde47ec86ee4d7a887114f5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000042ce.bin
3f6a18263dfc4b0dd5315cc9dd1484684d7c1aff656e5431f505582505d4a46c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x42CE 5684 bytes
font_01_sfnt_off000055e6.bin
85915d3b70dbb333aeec5f18d8c3c1870c17e7882bb001a07a36baa0d7909b23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55E6 11128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.