Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ebf08128383e0a9…

MALICIOUS

PDF

38.7 KB Created: 2020-08-25 23:53:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7fb6bd092ab668cc39542ae7a5af5f0b SHA-1: 652ffaf02d6725ade489a7bc35be464b662fc2f2 SHA-256: 3ebf08128383e0a963ecb6a4ae6b2d7085c891a61a3d158427820460c84468b6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one critical heuristic identifying it as a PDF link farm. The primary malicious URL, https://ttraff.com/pify?keyword=adventurer%2527s+guide+5e, is flagged as a known malicious redirector. The document body, though heavily obfuscated, contains references to the Adventurer's Guide and the wkhtmltopdf tool, suggesting a lure document. The presence of numerous Shopify links, while many are confirmed benign, contributes to the overall link farm characteristic.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=adventurer%2527s+guide+5e
    • http://vazavew.lauralrees.com/uploads/1/3/1/4/131436977/9259325.pdf
    • http://files.chapelcafe.co.uk/uploads/1/3/0/7/130776077/3856109.pdf
    • http://files.pcapitant.com/uploads/1/3/2/8/132814544/zatorovilakug.pdf
    • https://cdn.shopify.com/s/files/1/0431/2468/7014/files/types_of_boundaries.pdf
    • https://cdn.shopify.com/s/files/1/0432/1997/6350/files/kadigotuzutopitawiganilub.pdf
    • https://cdn.shopify.com/s/files/1/0433/7506/7297/files/fractions_and_decimals_worksheets_grade_7.pdf
    • https://cdn.shopify.com/s/files/1/0429/3961/3347/files/mofabu.pdf
    • https://cdn.shopify.com/s/files/1/0427/7898/4614/files/xenodopefijel.pdf
    • https://cdn.shopify.com/s/files/1/0446/5518/1987/files/catalan_numbers_with_applications.pdf
    • https://cdn.shopify.com/s/files/1/0433/1234/9334/files/irs_form_1040_modified_adjusted_gross_income.pdf
    • https://cdn.shopify.com/s/files/1/0433/5350/5946/files/66324864178.pdf
    • https://cdn.shopify.com/s/files/1/0429/3050/3846/files/61726252798.pdf
    • https://cdn.shopify.com/s/files/1/0432/9596/5352/files/31121757907.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000044c1.bin
9a74afa5c491e6bde2e08d1a768ce0592e8abdb110707daa2de1ef2b7cbc40bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x44C1 4956 bytes
font_01_sfnt_off000055be.bin
0b0481044d6da6085b9cc56f8f7dd3ff7bf31f20ed54ed06e4fdf4ed2b3b1b0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55BE 10248 bytes
font_02_sfnt_off00007904.bin
cc032a1d7efe9f52c63bdca4360dad9aff78fb14a47167d9e0089e6cc9416013		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7904 16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.