Malicious PDF — malware analysis report

Static analysis result for SHA-256 417caf2d5d7b9557…

MALICIOUS

PDF

43.7 KB Created: 2020-08-28 22:18:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 543749bb87e12ba0f6d5264dea50b29f SHA-1: 709eb29f8ef991f58cd0a073b4ad9cc78b998d5b SHA-256: 417caf2d5d7b955700274187cf7aba2393f56df3aa9b6b4ea618f796698ec62e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on cdn.shopify.com. One of the primary links, https://ttraff.cc/wix?keyword=hoi3+usa+guide, is identified as a malicious redirector. This suggests the document is designed to direct users to malicious infrastructure, likely for further exploitation or phishing.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=hoi3+usa+guide
    • https://cdn.shopify.com/s/files/1/0427/8494/8380/files/zujar.pdf
    • https://cdn.shopify.com/s/files/1/0430/2176/2723/files/zebef.pdf
    • https://cdn.shopify.com/s/files/1/0428/4982/9023/files/50562637524.pdf
    • https://cdn.shopify.com/s/files/1/0448/4333/5837/files/workability_test_of_concrete.pdf
    • https://cdn.shopify.com/s/files/1/0438/6809/4629/files/virtual_job_board_uiuc.pdf
    • https://cdn.shopify.com/s/files/1/0433/6841/5400/files/32298601268.pdf
    • https://static.usrfiles.com/ugd/b8c837_1c8bcf3864ee4da09455be502f46e0e9.pdf
    • https://static.usrfiles.com/ugd/b8c837_e334b50ff0814d4296a42551ef71dad4.pdf
    • https://static.usrfiles.com/ugd/b8c837_fb642f2e8f87472d92571b067a601cef.pdf
    • https://static.usrfiles.com/ugd/b8c837_e5d6b7df37384fc9a880e88f05fb19f3.pdf
    • https://cdn.shopify.com/s/files/1/0439/0718/6843/files/casio_quartz_water_resist_100m_manual.pdf
    • https://cdn.shopify.com/s/files/1/0428/7086/6076/files/ignou_m._com_1st_year_solved_assignment_2020_19.pdf
    • https://cdn.shopify.com/s/files/1/0436/9619/3686/files/casting_defects_handbook.pdf
    • https://cdn.shopify.com/s/files/1/0429/3358/4028/files/26677030811.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dd4.bin
48af93d25f91b443b0fe3b80351d8dceab6478dd7efadcd6db466f0a93072066		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DD4 4988 bytes
font_01_sfnt_off00007ed9.bin
b4676b57baf9bce0cfe41092d69cb9ce944652494b0272a2c398ec51ccbf2b3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7ED9 10420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.