Malicious PDF — malware analysis report

Static analysis result for SHA-256 42c12c16e78af336…

MALICIOUS

PDF

35.2 KB Created: 2020-09-05 12:08:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f85eda122ace3a0d17d0eaa3aa61e9a SHA-1: beab413520c3a1002e34be5e334dd0fb922764eb SHA-256: 42c12c16e78af336bf49ed06682b9598a2571b18431d7e8c3c99100d1e036eb4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, indicating it directs users to a known malicious redirector. Additionally, PDF_SEO_LINK_FARM indicates a mass external PDF link farm, with the primary URL being a redirector. The document body contains the URL https://ttraff.link/wix?keyword=cg+songs++new, which is likely intended to lead the user to malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=cg+songs++new
    • https://cdn.shopify.com/s/files/1/0437/9662/7618/files/symmetry_math_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/nulexukiwogefera.pdf
    • https://cdn.shopify.com/s/files/1/0457/7037/5324/files/gba_emulator_android_full_apk.pdf
    • https://cdn.shopify.com/s/files/1/0433/8935/4149/files/gugakokize.pdf
    • https://cdn.shopify.com/s/files/1/0428/6952/2599/files/2008_cadillac_sts_repair_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/9651/4461/files/guidepoint_systems_plans.pdf
    • https://cdn.shopify.com/s/files/1/0437/7185/5002/files/ligopokaliw.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/lalosukiwafigoledexefes.pdf
    • https://cdn.shopify.com/s/files/1/0440/4147/0117/files/sinozidifalefesezo.pdf
    • https://cdn.shopify.com/s/files/1/0431/6450/0122/files/definition_of_business_economics.pdf
    • https://cdn.shopify.com/s/files/1/0433/6369/6805/files/nebizajofuk.pdf
    • https://static.usrfiles.com/ugd/b8c837_5b0760ebcf8242cf9a594d4b66f2709a.pdf
    • https://static.usrfiles.com/ugd/7d1dc9_4818f5be91b6471c9111d03b96f87af0.pdf
    • https://static.usrfiles.com/ugd/f3cb45_2ede29f71dfb4e7ca1565548e56deb1d.pdf
    • https://static.usrfiles.com/ugd/87fdc7_9ec987fabb8c4cd9a42b9f82113f9bf0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004500.bin
76258f39c63b5b89d694d3d96bd726c86e20f50e48bea0db188240694b227678		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4500 4512 bytes
font_01_sfnt_off00005481.bin
5ec242e8f180785e8d73d50f9b992facbd20aba5c05870dfbc4e8f4b18a40000		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5481 13652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.