Malicious PDF — malware analysis report

Static analysis result for SHA-256 37a6be72b3c43e99…

MALICIOUS

PDF

31.9 KB Created: 2020-08-15 07:59:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 86276e0f1559c9a8e846a5ce4f58f966 SHA-1: 005603020752e755a92d912ce9903da4c1e67bd0 SHA-256: 37a6be72b3c43e9999fee11b39c294bbf6e452691e190ada774769c326bf3d0d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to PDF files hosted on Shopify. One of these links, 'https://ttraff.cc/pify?keyword=brothers+video+song++tinyjuke', is identified as a malicious redirector. This suggests a tactic of creating a link farm to obscure malicious activity and potentially lure users to malicious sites.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=brothers+video+song++tinyjuke
    • http://files.mishabernard.com/uploads/1/3/1/3/131383754/155675.pdf
    • https://cdn.shopify.com/s/files/1/0431/3061/8011/files/mebex.pdf
    • https://cdn.shopify.com/s/files/1/0449/5107/7032/files/sling_blade_soundboard.pdf
    • https://cdn.shopify.com/s/files/1/0435/3989/0327/files/11400901303.pdf
    • https://cdn.shopify.com/s/files/1/0440/3278/6597/files/acoso_psicologico_laboral.pdf
    • https://cdn.shopify.com/s/files/1/0432/7751/6955/files/datiwibopazoxatakap.pdf
    • https://cdn.shopify.com/s/files/1/0433/2912/6550/files/free_download_math_worksheets_for_grade_5.pdf
    • https://cdn.shopify.com/s/files/1/0430/3942/4663/files/runepejepuwuraleb.pdf
    • https://cdn.shopify.com/s/files/1/0431/4133/3147/files/rakizus.pdf
    • https://cdn.shopify.com/s/files/1/0448/4051/7792/files/digital_fundamentals_10th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0432/0657/4240/files/history_fiction_or_science.pdf
    • https://cdn.shopify.com/s/files/1/0430/5253/1869/files/turn_youtube_video_into_gif.pdf
    • https://cdn.shopify.com/s/files/1/0430/0704/9877/files/92267531946.pdf
    • https://cdn.shopify.com/s/files/1/0431/8678/2369/files/structure_algorithme.pdf
    • https://cdn.shopify.com/s/files/1/0433/1975/4907/files/vinutonaligijobakez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000418a.bin
5468e9b3f503f71e141a0f24175dd27ece65b8825ad9a6f54b907c87f5be7b6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x418A 5196 bytes
font_01_sfnt_off00005348.bin
bb7cb92fd8edde805b61799497ecc89a43e50b438f22cc2dda784a6e26b975e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5348 9244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.