Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e619a7c28b5a92e…

MALICIOUS

PDF

46.8 KB Created: 2020-08-31 02:59:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e89a0ec0db7733b2cb9776d393ae67c SHA-1: 04ad56b31abc89d22f8800a2a6f62697ebd7388b SHA-256: 3e619a7c28b5a92e365a93d40a4c2ef6de605ed1a9e3673d27ab8d8f37f11146
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, a significant portion of which point to a link farm hosted on cdn.shopify.com. One of these links, https://ttraff.com/wix?keyword=exercicios+movimento+circular, is identified as a malicious redirector. This suggests the document is designed to redirect users to potentially harmful websites, likely for phishing or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=exercicios+movimento+circular
    • https://cdn.shopify.com/s/files/1/0433/3069/9414/files/jizejariwikunut.pdf
    • https://cdn.shopify.com/s/files/1/0431/1993/5655/files/momidujurewuxefafozat.pdf
    • https://cdn.shopify.com/s/files/1/0460/5755/4075/files/bahubali_2_telugu_4k_movie_free.pdf
    • https://cdn.shopify.com/s/files/1/0429/4279/1839/files/conjuntivitis_bacteriana_hiperaguda.pdf
    • https://cdn.shopify.com/s/files/1/0459/8648/0295/files/bandos_solo_guide.pdf
    • https://cdn.shopify.com/s/files/1/0429/7100/5082/files/skyrim_for_mac.pdf
    • https://cdn.shopify.com/s/files/1/0433/7827/8563/files/59842421829.pdf
    • https://cdn.shopify.com/s/files/1/0427/8291/6767/files/accumulating_positive_experiences_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0439/2773/2379/files/83377579978.pdf
    • https://cdn.shopify.com/s/files/1/0434/6213/1869/files/zafilifegisinofu.pdf
    • https://cdn.shopify.com/s/files/1/0431/0712/3357/files/22389855635.pdf
    • https://static.usrfiles.com/ugd/253000_c4634cab2de04011a65fd12a88c81b34.pdf
    • https://static.usrfiles.com/ugd/5899d5_a12ee156deac400bbba22f5b27af1b35.pdf
    • https://static.usrfiles.com/ugd/c0b427_a306cbbe270541748c3eaa86911de4b3.pdf
    • https://static.usrfiles.com/ugd/b8c837_3d459e0df3594179a2af038a8a62afd7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bb8.bin
a71c266fd9a52e4f4164c9b74e4c95b1a94df8c878771edac96b25456185a827		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BB8 5032 bytes
font_01_sfnt_off00007cc0.bin
06679467d4c33ad242c7c4c2c4f85199c0e7edb1f45c6d7858806cfe4b313e8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CC0 16292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.