Malicious PDF — malware analysis report

Static analysis result for SHA-256 481830daf2e22a09…

MALICIOUS

PDF

41.1 KB Created: 2020-09-05 07:18:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f5e2877bc65724f8a56f4d716e20ea1 SHA-1: 2762548e254c1eab95ba2e5f9211e67c337aae2b SHA-256: 481830daf2e22a09ec420fcaa65a663e92182195632ed29d0283b9a95fda3e40
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, masquerading as search results for a technical query. One of these links, https://ttraff.me/wix?keyword=convert+bitmap+into+base64+android, points to a known malicious redirector. The document body is heavily obfuscated but contains the same malicious URL, reinforcing the lure. The presence of numerous benign-looking Shopify links suggests an attempt to blend malicious links with legitimate ones.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=convert+bitmap+into+base64+android
    • https://cdn.shopify.com/s/files/1/0432/9606/3652/files/77935385819.pdf
    • https://cdn.shopify.com/s/files/1/0458/2467/1907/files/react_js_bootstrap_form.pdf
    • https://cdn.shopify.com/s/files/1/0435/8992/7067/files/audi_q7_owners_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/6472/9512/files/gijutakifuzijuwitogawabu.pdf
    • https://cdn.shopify.com/s/files/1/0431/7570/6788/files/4632853269.pdf
    • https://static.usrfiles.com/ugd/374ce0_f669326d3e4a45e5a2e8b6730928287a.pdf
    • https://static.usrfiles.com/ugd/0789d5_ddee59f7f7ca460b9b6a204e8bb3aea8.pdf
    • https://static.usrfiles.com/ugd/136d07_7fff214534904a26aaeb44ff5c3f4b5c.pdf
    • https://static.usrfiles.com/ugd/9734e7_520f4cc787fb40a39851a05fa041b20c.pdf
    • https://static.usrfiles.com/ugd/685707_734434c53beb4f0a8bcfb0d58aaf031f.pdf
    • https://static.usrfiles.com/ugd/10e3af_263edfddc52847b2b64edd415c4a7276.pdf
    • https://static.usrfiles.com/ugd/54bec1_13309fac7e4e4568aacd782910242c99.pdf
    • https://static.usrfiles.com/ugd/b8c837_f1b535e3ad7641ceab5dcd7fd233ed9f.pdf
    • https://static.usrfiles.com/ugd/0bfb20_bb28bfa2cbb34d69a4018a940589a7dc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006285.bin
46591f262d0478caf7b48fe29b49125da1eab6741e0375d02fd94290a9e8b915		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6285 5420 bytes
font_01_sfnt_off000074da.bin
838de7aaa6871c27e118214ec3ba1dfded724df58b3c24127804d2ea7196d8af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74DA 10192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.