Malicious PDF — malware analysis report

Static analysis result for SHA-256 370d7ecb6dec4bf5…

MALICIOUS

PDF

79.5 KB Created: 2020-08-24 15:59:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5918a211475eccbc64b6bd248d408097 SHA-1: 9c205b3952fdf6ff8056d9e837c6de2384559ece SHA-256: 370d7ecb6dec4bf52a032da183ba4dbf2674d72d27c189697323a1bacc732d2a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external PDFs hosted on various domains, suggesting a link farm or SEO poisoning tactic. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is also present in the document body. This indicates the primary purpose is to redirect users to malicious content, likely for phishing or malware delivery.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=article+370+essay+pdf
    • http://files.yogalotuspond.com/uploads/1/3/1/4/131438432/xakebanuvat-gugafotapelavur.pdf
    • http://files.gemscraft.net/uploads/1/3/0/8/130814423/fexapibu_nigavik_fagevafe_rusexojaputob.pdf
    • http://files.arsalynyouthforums.org/uploads/1/3/0/7/130740504/0acb65d06fe9.pdf
    • http://files.lorenachiarcos.com/uploads/1/3/0/8/130813461/filapatukowij.pdf
    • http://files.nwonyi.org/uploads/1/3/0/8/130874067/riwawu.pdf
    • https://cdn.shopify.com/s/files/1/0430/9798/1082/files/94003992326.pdf
    • https://cdn.shopify.com/s/files/1/0436/0028/1762/files/21419019654.pdf
    • https://cdn.shopify.com/s/files/1/0433/2588/2520/files/82302746000.pdf
    • https://cdn.shopify.com/s/files/1/0437/6385/9610/files/kung_pow_full_movie.pdf
    • https://cdn.shopify.com/s/files/1/0432/6886/6208/files/80439663566.pdf
    • https://cdn.shopify.com/s/files/1/0429/6821/9799/files/50753453659.pdf
    • https://cdn.shopify.com/s/files/1/0435/0862/9663/files/metal_door_design_catalogue.pdf
    • https://cdn.shopify.com/s/files/1/0429/8362/0757/files/14987737579.pdf
    • https://cdn.shopify.com/s/files/1/0429/8542/2997/files/likeki.pdf
    • https://cdn.shopify.com/s/files/1/0427/9926/8003/files/35916766041.pdf
    • https://cdn.shopify.com/s/files/1/0440/9019/6133/files/26166107253.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f988.bin
ccca42f9ae6ba157704cd5c51aa58550659278d758167f278a4f4d1df22e2636		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF988 5628 bytes
font_01_sfnt_off00010ccb.bin
86bde0d73e703118cec90addb07791a0917bd945b8b379c05597a135b76a060e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CCB 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.