Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f9c762d6a780e12…

MALICIOUS

PDF

43.5 KB Created: 2020-08-21 21:16:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 494560f5028066e96e00d91f18090a14 SHA-1: 2ab1a62f5beb1c3d7f2eb62787a6bfe04f1e06a6 SHA-256: 3f9c762d6a780e12e9232e611e49d6412618cd4c48898fa962e6be6fe4618ea1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the URL 'https://ttraff.com/pify?keyword=kanika+mann+video' which is flagged as a malicious redirector. The presence of numerous links, including those hosted on Shopify, suggests a link farm designed to distribute malicious content or phish users. The file was generated using wkhtmltopdf, indicating a programmatic approach to creating the malicious document.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=kanika+mann+video
    • http://files.patriciajoaquimrealtor.com/uploads/1/3/0/7/130776791/e180bc43.pdf
    • http://files.nerinxhallspiritshop.org/uploads/1/3/0/8/130814432/3905685.pdf
    • http://files.tamimurphy.com/uploads/1/3/0/9/130969048/ee933b4.pdf
    • http://zeluxarut.vonfunkhouser.com/uploads/1/3/0/7/130739629/10e0aa5ad2b.pdf
    • https://cdn.shopify.com/s/files/1/0435/1636/2920/files/gabigepezuje.pdf
    • https://cdn.shopify.com/s/files/1/0430/3355/9203/files/43066715106.pdf
    • https://cdn.shopify.com/s/files/1/0435/5637/2641/files/78418956158.pdf
    • https://cdn.shopify.com/s/files/1/0431/7039/8357/files/97569869973.pdf
    • https://cdn.shopify.com/s/files/1/0431/7259/3825/files/vetosovapajulaposorefogi.pdf
    • https://cdn.shopify.com/s/files/1/0435/3314/0127/files/mubenotimipiremumixe.pdf
    • https://cdn.shopify.com/s/files/1/0434/1281/6026/files/50394575244.pdf
    • https://cdn.shopify.com/s/files/1/0433/6713/7438/files/faboronakasadixagir.pdf
    • https://cdn.shopify.com/s/files/1/0435/5247/3243/files/widut.pdf
    • https://cdn.shopify.com/s/files/1/0431/0453/4692/files/wirixed.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000608f.bin
237bc2a51f0f5359d0a556fbdf4bd8d70b8d76889031e52bbc5c0fffc6ec9e12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x608F 4468 bytes
font_01_sfnt_off00006f98.bin
35f844be29b403a8827b54fdb31132cf600c8cdbc2c35a0060d736240b64b313		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F98 10532 bytes
font_02_sfnt_off0000936a.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x936A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.