Malicious PDF — malware analysis report

Static analysis result for SHA-256 38b91fc40a71d740…

MALICIOUS

PDF

41.4 KB Created: 2020-08-29 11:15:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7837646bc00c422a71033c83a55799b3 SHA-1: 2de9807184eb68a86f82b457ba9ea03a14925489 SHA-256: 38b91fc40a71d74073377f31de47d660b49738b4c1f6c54b6580afb2feadbd67
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for a malicious redirector link, pointing to 'ttraff.com'. The document body also contains this URL, presented as a free book download. This indicates a social engineering attempt to redirect users to malicious content. The file also contains a PDF link farm heuristic, suggesting it's part of a larger SEO poisoning campaign.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=c+real+book+6th+edition+pdf+free+dow
    • https://static.usrfiles.com/ugd/b8c837_043b03a4fe244744ae6adb5078defd7e.pdf
    • https://static.usrfiles.com/ugd/824332_a53618d9d1224553a5b61b04cc9b6a91.pdf
    • https://static.usrfiles.com/ugd/2813e2_bb9571fdd1f14a05ac479b987c980c98.pdf
    • https://static.usrfiles.com/ugd/b8c837_fad26301f2934494938991633e4346b4.pdf
    • https://cdn.shopify.com/s/files/1/0435/8956/6621/files/38721053066.pdf
    • https://cdn.shopify.com/s/files/1/0428/2892/3046/files/88885216380.pdf
    • https://cdn.shopify.com/s/files/1/0437/6304/0408/files/94460894816.pdf
    • https://cdn.shopify.com/s/files/1/0431/6823/5675/files/65106620483.pdf
    • https://cdn.shopify.com/s/files/1/0428/8082/7558/files/70042545436.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057a6.bin
20d68ad73cff38416e5a17d315aafc0a21fabb0ec778157bc3c51861341627c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57A6 5212 bytes
font_01_sfnt_off0000695c.bin
94d557167c0335b645cafa44dd3a674633fa31413f811a1dc0cdd43b3ca296c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x695C 9808 bytes
font_02_sfnt_off00008acd.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8ACD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.