Malicious PDF — malware analysis report

Static analysis result for SHA-256 4440a40f4837f805…

MALICIOUS

PDF

36.7 KB Created: 2020-08-29 22:46:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9476f50411a6ea9bb1a3252b5067f432 SHA-1: 41f640e71da24fb8f31864c3a719335c0a20336c SHA-256: 4440a40f4837f8053898e2ec2c2a7df26574570ee6d8bbc23e04ec60af2e399b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external PDFs hosted on platforms like Shopify and static.usrfiles.com. One of the primary links, https://ttraff.cc/wix?keyword=biochemistry+5th+edition+by+garrett, is identified as a malicious redirector. This suggests the document is part of an SEO poisoning or link farm attack, aiming to drive traffic to malicious infrastructure under the guise of providing academic resources.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=biochemistry+5th+edition+by+garrett
    • https://cdn.shopify.com/s/files/1/0440/4966/2117/files/bubifufukarelo.pdf
    • https://cdn.shopify.com/s/files/1/0433/9502/3013/files/43616222147.pdf
    • https://cdn.shopify.com/s/files/1/0429/0609/1673/files/sadidoxedesaro.pdf
    • https://static.usrfiles.com/ugd/3b47cb_36eee5864bc140009f764aa75f9b11f5.pdf
    • https://static.usrfiles.com/ugd/696b8a_fca2fd696709473caa0bc383c4233acf.pdf
    • https://static.usrfiles.com/ugd/b8c837_e8583b214ffa40809a142a7795c9f486.pdf
    • https://static.usrfiles.com/ugd/b8c837_546f0c14522f407285d95ada23eb0cad.pdf
    • https://cdn.shopify.com/s/files/1/0432/6624/4766/files/78100535203.pdf
    • https://cdn.shopify.com/s/files/1/0434/2359/6693/files/ionic_bonding_worksheet_doc.pdf
    • https://cdn.shopify.com/s/files/1/0437/5989/4689/files/gomalusa.pdf
    • https://cdn.shopify.com/s/files/1/0428/5900/4070/files/new_iphone_update_13.pdf
    • https://cdn.shopify.com/s/files/1/0430/3277/2757/files/85683193365.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000424a.bin
618c83b77a355e03b3e2f8a1faa0509d0b526be7af2f0ad10d4c77c8e01795c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x424A 5524 bytes
font_01_sfnt_off000054e7.bin
eb3636599a9d0260b078f0bd6b0afcad9071617a6e4f45a17970c235d46745c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54E7 10248 bytes
font_02_sfnt_off000077f5.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77F5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.