Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c96cffdb0473bec…

MALICIOUS

PDF

42.7 KB Created: 2020-08-30 07:49:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64219ddf16e8a055ebbc7ac530c43946 SHA-1: efc52f1e57ce310fd6fdf42c59b1f2d21fee660a SHA-256: 3c96cffdb0473bec7007078bee4ce7646d796c020b6eee1cd456b1d78b5b0199
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to PDF files hosted on Shopify. One of these links, however, directs to a known malicious redirector at 'ttraff.com'. This suggests a link farm or SEO poisoning attack designed to lure users to malicious content. No scripts were extracted, and the document body was heavily obfuscated.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=pronombres+y+determinantes+posesivos+ejercicios
    • https://cdn.shopify.com/s/files/1/0429/7470/7868/files/college_algebra_and_trigonometry_6th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0434/5636/4711/files/kulemalo.pdf
    • https://cdn.shopify.com/s/files/1/0429/9161/6153/files/72353964349.pdf
    • https://cdn.shopify.com/s/files/1/0433/4416/7064/files/fokuzuf.pdf
    • https://cdn.shopify.com/s/files/1/0435/3903/8359/files/71949158388.pdf
    • https://cdn.shopify.com/s/files/1/0433/7323/2291/files/lagu_yg_terdalam_cover_reggae.pdf
    • https://cdn.shopify.com/s/files/1/0431/0158/5562/files/aspartato_aminotransferasa_funcion.pdf
    • https://static.usrfiles.com/ugd/b8c837_6b8d4db34fb94d73a78dfc389e551d89.pdf
    • https://static.usrfiles.com/ugd/b8c837_811a76de6e2a46d895548fab17035b52.pdf
    • https://static.usrfiles.com/ugd/5899d5_2174698d4b2347ebbd3272d81e2364f6.pdf
    • https://static.usrfiles.com/ugd/b8c837_5f35e69666394c26ba122993f94d4a6d.pdf
    • https://static.usrfiles.com/ugd/97368a_883a67901af842eea7596969e3aa3bb5.pdf
    • https://static.usrfiles.com/ugd/d5415a_3fc038dd8c924028bcb6995b71266e59.pdf
    • https://static.usrfiles.com/ugd/9374a7_74cce3d22b7b4f4ab5d216cc3172576b.pdf
    • https://static.usrfiles.com/ugd/0fdb6d_cc9e34b9bb4f4f31844386ab1fcfd01a.pdf
    • https://static.usrfiles.com/ugd/52b593_ba749f414d6e4386aa9a2190337aad7b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006001.bin
b88c707d25b04589ceea1f0cb380465dc4dad386dd20f8195bca53ba99872949		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6001 5564 bytes
font_01_sfnt_off000072dc.bin
ce333b23b9b1f391d8a78f78e3fabfda33f0088e59f1e78eebc1de9ab8592e35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72DC 12868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.