Malicious PDF — malware analysis report

Static analysis result for SHA-256 46d91c44dfb44bb2…

MALICIOUS

PDF

53.3 KB Created: 2020-09-02 02:00:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84a87f55e7c10409568fbaa2d593fbd6 SHA-1: b2a6b9ae462ca7091050ad47cf4ea715a6fba404 SHA-256: 46d91c44dfb44bb2057f3060171f6244055406e45e016f7b03f0245ea4fd8d80
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.me/wix?keyword=the+four+human+temperament+pdf'. This URL is likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, also contains this URL and numerous other Shopify and static.usrfiles.com links, suggesting a link farm or content distribution strategy. The primary attack pattern is social engineering via a seemingly benign document that leads to a malicious URL.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=the+four+human+temperament+pdf
    • https://cdn.shopify.com/s/files/1/0438/4030/7362/files/81243259875.pdf
    • https://cdn.shopify.com/s/files/1/0430/7451/9201/files/pirolapeb.pdf
    • https://cdn.shopify.com/s/files/1/0433/0445/2246/files/89150907237.pdf
    • https://cdn.shopify.com/s/files/1/0434/4548/5725/files/didujewuvejokig.pdf
    • https://static.usrfiles.com/ugd/e7e4a0_131d657c6ac24f318551af809408c2a2.pdf
    • https://static.usrfiles.com/ugd/2f07a1_01839740685a43228dbcc0c3b106d5f5.pdf
    • https://cdn.shopify.com/s/files/1/0437/0500/8293/files/advanced_excel_shortcuts_keys.pdf
    • https://cdn.shopify.com/s/files/1/0431/6663/0050/files/patewamunawurebarakiwebam.pdf
    • https://static.usrfiles.com/ugd/585b1d_c28cad7bbd9d46379affcd91a0499f49.pdf
    • https://static.usrfiles.com/ugd/d7ba0f_0f7597f760994dbbb9cee37de3106eda.pdf
    • https://static.usrfiles.com/ugd/3e9e83_d9265ef8d9a7464699690ca98358a170.pdf
    • https://static.usrfiles.com/ugd/b8c837_765b813be39641e098dfb3974e2d5643.pdf
    • https://static.usrfiles.com/ugd/e73fea_ae1d84405b4c4fe0b9ba47c3c0c44539.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009457.bin
103b5ba8bb8ffc1a2513a0b5dbb7b91c62eec11da369d3014b7f528599d2cf01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9457 5020 bytes
font_01_sfnt_off0000a53b.bin
d3110ca87d15047a250c4c2f4de68cf615e60bdb4157b72bcf8a1ccaa2665f49		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA53B 10184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.