Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ffda0c9d4b4cffb…

MALICIOUS

PDF

42.1 KB Created: 2020-08-17 14:01:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 471bd2b38834e8edb7968cf953512956 SHA-1: fdd8590f325f0131d70a3874f3a023c6bb0c6810 SHA-256: 3ffda0c9d4b4cffb15fd8b42ddf36860129d2adae039b62105774a0b16b7fa06
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, but one critical link redirects to a known malicious redirector. The document body, though heavily obfuscated, contains the malicious URL and appears to be a lure related to Minecraft. This suggests the document's primary purpose is to redirect users to malicious infrastructure.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=minecraft+bookshelves+enchanting+guide
    • http://files.wilderways.scot/uploads/1/3/1/3/131379724/2d4448.pdf
    • https://cdn.shopify.com/s/files/1/0430/4666/6389/files/administration_duties_and_responsibilities.pdf
    • https://cdn.shopify.com/s/files/1/0437/6874/2040/files/11223243538.pdf
    • https://cdn.shopify.com/s/files/1/0427/4552/8487/files/auto_body_repair_technology_5th_edition.pdf
    • https://cdn.shopify.com/s/files/1/0436/9688/1814/files/sumapi.pdf
    • https://cdn.shopify.com/s/files/1/0431/8697/8984/files/6756026513.pdf
    • https://cdn.shopify.com/s/files/1/0433/6690/8054/files/kabivadesojisejeguveluteb.pdf
    • https://cdn.shopify.com/s/files/1/0430/7048/8730/files/48611762769.pdf
    • https://cdn.shopify.com/s/files/1/0428/5900/4070/files/mokijevajuxelovafojete.pdf
    • https://cdn.shopify.com/s/files/1/0438/0088/7457/files/pirutewoxenepasa.pdf
    • https://cdn.shopify.com/s/files/1/0431/6558/1468/files/jifevivudow.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060be.bin
8a64755b8acd48fc7e9c6a8e794868904f2a52fc1b9cb2a2a4563cc69feb00f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60BE 5552 bytes
font_01_sfnt_off0000739e.bin
6222a14d83aa652e99b576003b551a5f04aefe625a7979433ea9c55990ea6d11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x739E 12684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.