Malicious PDF — malware analysis report

Static analysis result for SHA-256 45a1d36d0844bbad…

MALICIOUS

PDF

46.9 KB Created: 2020-08-30 07:23:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f58bf34ac25c81deb7dc42ef775602a SHA-1: 9c411a83c4bc55740456acc1007f3ae5005ddc53 SHA-256: 45a1d36d0844bbadb8486f005bbf90dffb16939f71052c365909925534922311
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to a link farm hosted on Shopify. The primary malicious link, 'https://ttraff.com/wix?keyword=hard+doggystyle+porn', is identified as a malicious redirector. This suggests the document's purpose is to direct users to potentially harmful content or further malicious sites through a chain of redirects.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=hard+doggystyle+porn
    • https://cdn.shopify.com/s/files/1/0429/4869/0076/files/wopugizujiv.pdf
    • https://cdn.shopify.com/s/files/1/0431/7344/5792/files/leninoxud.pdf
    • https://cdn.shopify.com/s/files/1/0440/2964/0854/files/tekiriwinetomisokuran.pdf
    • https://static.usrfiles.com/ugd/b8c837_a107a1d0827641bd97289a95c729bf0a.pdf
    • https://static.usrfiles.com/ugd/868401_11ef6f2e872548aab9a39a6b7f6c6553.pdf
    • https://static.usrfiles.com/ugd/b8c837_4985129fd57a4576b36b95f300dba106.pdf
    • https://static.usrfiles.com/ugd/b8c837_95c7f6ad57df4bddbf3a866824462b2a.pdf
    • https://static.usrfiles.com/ugd/5438e3_d1e797d165a14a27bcdad819aae4fbe6.pdf
    • https://static.usrfiles.com/ugd/d775a9_894dab2a00d043e5a8b938dd99d59192.pdf
    • https://static.usrfiles.com/ugd/ca9b0a_54f0191420f8430cba7dd83f0cb81d3c.pdf
    • https://static.usrfiles.com/ugd/b8c837_b9a42f47445e48849989b37a702e4ada.pdf
    • https://cdn.shopify.com/s/files/1/0435/9254/8515/files/tennessee_driver_license_reinstatement_office_memphis_tn.pdf
    • https://cdn.shopify.com/s/files/1/0465/5123/6766/files/71972328305.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005475.bin
bc955a3f3f00c06e54727d507b44737149ea8a13e1625c09c7449c373ceebfdd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5475 5192 bytes
font_01_sfnt_off00006633.bin
2a5d1381cb1dcd82b9572ad1762d8f290541140d29aa16269a9955ba40cdd968		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6633 13944 bytes
font_02_sfnt_off000091b1.bin
0eb83717cf6509982a8fd4817d0e8fb5534697541fe93e23429fab2e24f8b96f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91B1 18444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.