Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c26a2d292e49246…

MALICIOUS

PDF

36.6 KB Created: 2020-08-29 12:02:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 91053b483fc0a3ccef68e943cb5df902 SHA-1: 59edb398d27ccfb60bb13300f50f2a50005c1035 SHA-256: 3c26a2d292e49246f7ca84e077b397390766a7caf64328b7b012173fac6927d6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, identified as a link farm. One of these links, 'https://ttraff.cc/wix?keyword=patron+mutlu+son+istiyor+indir', is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL, suggesting it is the primary lure. The presence of numerous links hosted on seemingly benign platforms like Shopify indicates an attempt to obscure the malicious destination.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=patron+mutlu+son+istiyor+indir
    • https://cdn.shopify.com/s/files/1/0436/9340/8409/files/rezojujutisom.pdf
    • https://cdn.shopify.com/s/files/1/0431/7482/2044/files/tenofukabatemekovowerut.pdf
    • https://cdn.shopify.com/s/files/1/0433/4957/3784/files/82879391703.pdf
    • https://cdn.shopify.com/s/files/1/0432/6303/3507/files/hashimoto_protocol.pdf
    • https://cdn.shopify.com/s/files/1/0461/1692/9700/files/after_life_netflix_parents_guide.pdf
    • https://cdn.shopify.com/s/files/1/0433/4436/3678/files/fipikapogagejomi.pdf
    • https://cdn.shopify.com/s/files/1/0431/2114/8061/files/minixikelabimixo.pdf
    • https://cdn.shopify.com/s/files/1/0434/8693/7253/files/baby_development_during_pregnancy.pdf
    • https://cdn.shopify.com/s/files/1/0436/1610/8701/files/ultimate_ninja_blazing_mod_apk_new_version.pdf
    • https://cdn.shopify.com/s/files/1/0440/6162/2437/files/addis_ababa_city_population.pdf
    • https://cdn.shopify.com/s/files/1/0431/2170/5124/files/beery_vmi_assessment.pdf
    • https://cdn.shopify.com/s/files/1/0433/7205/2643/files/43932150377.pdf
    • https://cdn.shopify.com/s/files/1/0431/5083/5878/files/arithmetic_sequence_word_problems_worksheet_with_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004446.bin
8a02f4e53cb4bac9a96baa622fc162fa8e367eb6d262521bfa0ead34277e8354		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4446 4836 bytes
font_01_sfnt_off00005483.bin
157f35e88b676888cfd8266de35a197ca34f02b7323cde8ca8800142dccd99ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5483 10436 bytes
font_02_sfnt_off000075c8.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75C8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.