Malicious PDF — malware analysis report

Static analysis result for SHA-256 3658a4f106f81874…

MALICIOUS

PDF

42.9 KB Created: 2020-08-24 02:52:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59727400855a9f1b42d821861a55b8b7 SHA-1: 4b64a481d817afea242c71e76a9cc36a0068b142 SHA-256: 3658a4f106f818747c76b4d9f5e41d59752d7cc1f234e78c374ac078ede7e7df
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with a critical heuristic firing for a malicious redirector. The document body and extracted URLs suggest a link farm designed to manipulate SEO and potentially lead users to malicious content, as indicated by the ttraff.com redirector. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=acr+mammogram+screening+guidelines
    • http://futezo.drkesconcrete.com/uploads/1/3/1/0/131070761/feb05e95403ea.pdf
    • http://kururowo.theopengate.shop/uploads/1/3/0/7/130775710/lokad_gujugojupen_dogenosozejidus.pdf
    • http://nudorejav.trojerestaurant.com/uploads/1/3/1/3/131383434/vuwotagaridefo.pdf
    • http://files.prssasacstate.com/uploads/1/3/1/6/131607522/9474275.pdf
    • http://files.bocadeoro.org/uploads/1/3/0/7/130775728/burimixuxewu_xozupepif_wabovuvek_kojixa.pdf
    • https://cdn.shopify.com/s/files/1/0434/0717/9941/files/gta_5_ps4_preowned.pdf
    • https://cdn.shopify.com/s/files/1/0429/7742/7609/files/ramibexemimegobibifa.pdf
    • https://cdn.shopify.com/s/files/1/0431/1869/0458/files/92082059203.pdf
    • https://cdn.shopify.com/s/files/1/0431/6289/4495/files/hipotiroidismo_por_amiodarona.pdf
    • https://cdn.shopify.com/s/files/1/0432/4491/2802/files/chrome_certificate_ssl.pdf
    • https://cdn.shopify.com/s/files/1/0430/3486/9921/files/dipinu.pdf
    • https://cdn.shopify.com/s/files/1/0430/1979/6633/files/38162735281.pdf
    • https://cdn.shopify.com/s/files/1/0433/4891/8440/files/scorecloud_studio_free.pdf
    • https://cdn.shopify.com/s/files/1/0429/9803/8679/files/66344975582.pdf
    • https://cdn.shopify.com/s/files/1/0433/7460/8545/files/18._2_modern_evolutionary_classification.pdf
    • https://cdn.shopify.com/s/files/1/0439/9936/3222/files/74067289609.pdf
    • https://cdn.shopify.com/s/files/1/0461/8066/3450/files/arte_bizantino_uaeh.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069c8.bin
cbebf648bfe4cc63dc4b32f1ae1924a466c81c30998c62f646402789bd74589c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69C8 5248 bytes
font_01_sfnt_off00007b76.bin
97a59af098e0f3c819aa35f6870bd3b5ba2b958648a69497ff7a5774c60d6cfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B76 10252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.