Malicious PDF — malware analysis report

Static analysis result for SHA-256 48ae482e8bb6a0ac…

MALICIOUS

PDF

41.0 KB Created: 2020-08-14 21:18:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ec067e89e62a1af84630e5465e78300 SHA-1: cd262cec2922d60ce5a13f631a0392b7411be03b SHA-256: 48ae482e8bb6a0ac82aa1238ff4c688a037878b6cfd9222770a6bd94b5936532
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm for SEO manipulation. One critical heuristic identified a link to a known malicious redirector, ttraff.cc, which is used to obscure the final destination. The document body, though heavily corrupted, contains text related to 'Google earth 3d map software free', likely a lure to entice users to click the malicious link.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=google+earth+3d+map+software+free
    • http://files.lilcongames.com/uploads/1/3/1/8/131856545/6409406.pdf
    • https://cdn.shopify.com/s/files/1/0429/2512/9894/files/levudiperozivirij.pdf
    • https://cdn.shopify.com/s/files/1/0435/3051/8679/files/28492481883.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/22700630349.pdf
    • https://cdn.shopify.com/s/files/1/0432/0044/6626/files/xizomunozimelewuno.pdf
    • https://cdn.shopify.com/s/files/1/0429/5639/0559/files/58589432521.pdf
    • https://cdn.shopify.com/s/files/1/0432/2977/3982/files/gutopenoxisominutajogal.pdf
    • https://cdn.shopify.com/s/files/1/0430/1747/0101/files/girulivuzi.pdf
    • https://cdn.shopify.com/s/files/1/0434/3988/2402/files/kenapurozebisujusexemoba.pdf
    • https://cdn.shopify.com/s/files/1/0430/8585/6919/files/rivuvepabasofalenudo.pdf
    • https://cdn.shopify.com/s/files/1/0429/2483/4982/files/52538806999.pdf
    • https://cdn.shopify.com/s/files/1/0433/2473/5643/files/mekawimanixabadikarafa.pdf
    • https://cdn.shopify.com/s/files/1/0437/8427/4069/files/ontario_air_brake_handbook.pdf
    • https://cdn.shopify.com/s/files/1/0427/6423/9014/files/mizutet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f46.bin
c43cb511014add461e89098f45f48c9aab15b126fbb280541f684074c1dfcd5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F46 5744 bytes
font_01_sfnt_off000072cd.bin
70b3f0bae1aadba006d9d7bbc13611f56eb127cc08700c5feb25e3396c0263f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72CD 10656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.