Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d2558407b8f9f44…

MALICIOUS

PDF

41.8 KB Created: 2020-09-13 10:59:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 557cfdac488284b3fbb32d6ff59cb328 SHA-1: dd0adf82aa8f6792f19739a12334ebe22da2d8e9 SHA-256: 3d2558407b8f9f44c033c694f29cac4318368b6cd99477308791fa177216b912
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to external PDF files hosted on various domains. One prominent link, 'https://ttraff.club/wix?keyword=what+is+deezloader+remix', is identified as a malicious redirector. This suggests the document's primary purpose is to direct users to malicious infrastructure, likely for further exploitation or phishing. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=what+is+deezloader+remix
    • http://files.marinavillagealameda.com/uploads/1/3/0/7/130776795/3800690.pdf
    • http://files.strictlyskillsbasketball.com/uploads/1/3/1/3/131381722/37eb1b45e.pdf
    • http://files.bloodsugarbikemagic.com/uploads/1/3/2/6/132681690/kuligutaje.pdf
    • http://nonabi.bapthetaxi.com/uploads/1/3/1/4/131408071/987022.pdf
    • http://files.smswanhill100years.com/uploads/1/3/1/4/131438071/329977.pdf
    • http://files.brennathompsonrd.com/uploads/1/3/0/7/130775868/19742053.pdf
    • http://files.dancefuriously.com/uploads/1/3/0/7/130776655/pivedirigulexi-narewipabu.pdf
    • https://static.usrfiles.com/ugd/74a852_b47b70335ecb401e903f6b2feb281d49.pdf
    • https://static.usrfiles.com/ugd/a42eed_f9c0df0b5c814391980a5ec6a9f79ed1.pdf
    • https://static.usrfiles.com/ugd/c4ccc4_1cefdd22410943958c718459b313f43b.pdf
    • https://static.usrfiles.com/ugd/2074c9_7254dd6f395c408cbb301685c26b4f13.pdf
    • https://static.usrfiles.com/ugd/04c368_fe687ce416954201bfaccd80a9d2c87e.pdf
    • https://cdn.shopify.com/s/files/1/0429/4436/4710/files/50588205405.pdf
    • https://cdn.shopify.com/s/files/1/0434/2077/8653/files/pashto_new_audio_song_2019.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/54686169254.pdf
    • https://cdn.shopify.com/s/files/1/0434/8923/1014/files/xegifexozusavi.pdf
    • https://cdn.shopify.com/s/files/1/0434/8110/4541/files/13506848998.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000656c.bin
4259c17793556743ab250eb63bce3cee6afa54a03cc607a354aad6ea3a601e22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x656C 5196 bytes
font_01_sfnt_off000076ff.bin
071c29c2b5ee028d2f55a8bdff4b0b11102dc49356b0340225b87c6af3d137e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76FF 10452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.