Malicious PDF — malware analysis report

Static analysis result for SHA-256 366858ff4b2ef080…

MALICIOUS

PDF

35.1 KB Created: 2020-09-01 09:04:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fa38845523f2ef4200f2eea65290b8a SHA-1: 46b94b397439410711bd25d6757ad46e0da701b0 SHA-256: 366858ff4b2ef080d388d5b78b3343b62f546d2918ad0a9d578f0cdc201a2d45
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm or SEO poisoning tactic. One critical heuristic identified a link to a known malicious redirector, `https://ttraff.link/wix?keyword=bahubali+2+full+song++pagalworld`, which is likely the primary malicious payload delivery mechanism. The document body, though heavily obfuscated, contains this same malicious URL and appears to be a lure related to popular media content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=bahubali+2+full+song++pagalworld
    • https://cdn.shopify.com/s/files/1/0429/4852/6246/files/discrete_probability_distribution_example.pdf
    • https://cdn.shopify.com/s/files/1/0431/7141/4173/files/dark_souls_3_knight_armor.pdf
    • https://cdn.shopify.com/s/files/1/0465/0870/3894/files/89677208082.pdf
    • https://static.usrfiles.com/ugd/7603ae_430b59719d934e3c8b4c267877b5c37b.pdf
    • https://static.usrfiles.com/ugd/7e6083_b3c90b5ff75645e18ee29a1ffdfcdd81.pdf
    • https://static.usrfiles.com/ugd/b8c837_2a2e8e66c18a498cbc81d98abc945bcc.pdf
    • https://static.usrfiles.com/ugd/ce14f3_bc1940bca36a4d0c9149aba608e6059d.pdf
    • https://static.usrfiles.com/ugd/aec2ea_edaa21375d164d2bb7c4ae3744839324.pdf
    • https://static.usrfiles.com/ugd/e23fbb_6d3bde0279cb4c95a35413b488d28015.pdf
    • https://static.usrfiles.com/ugd/41f880_09fda021bdb44207b89917377d04b649.pdf
    • https://static.usrfiles.com/ugd/97634b_c1728d1028f441948878e93a780ea624.pdf
    • https://static.usrfiles.com/ugd/b8c837_1b0978d96f8c45b39f765347f84a02ea.pdf
    • https://static.usrfiles.com/ugd/7603ae_607b2db9cd2c44ad9b873aed8b31381d.pdf
    • https://cdn.shopify.com/s/files/1/0432/0198/6723/files/fatuzodozusafepudivig.pdf
    • https://cdn.shopify.com/s/files/1/0448/5827/8050/files/articles_of_faith_james_e_talmage.pdf
    • https://cdn.shopify.com/s/files/1/0437/5412/7521/files/endotoxinas_y_exotoxinas_bacterianas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b4c.bin
8128b27fd078701a4c220994bcee7129c789f7ba8ef7df5ea18d2f3e57fff1a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B4C 5716 bytes
font_01_sfnt_off00005ed1.bin
c77d883f7c75dd4486b8d6dda72a5ef81daf7d58497b4d7e5b92f093601e0b2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5ED1 9540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.